记录用户在网站上输入数据的最简单,最安全的方法是什么
[英]What's the easiest and safest way to record data being inputted by a user on a web site
问题描述
Apologies, this is a tragically simple question that will bore most of you. 
道歉,这是一个悲惨的问题,将会让你们大多数人感到厌烦。
I need to implement the simplest "leave your email and we'll contact you" web page. 我需要实现最简单的“留下您的电子邮件,我们会与您联系”网页。 The simplest thing I could think of is doing an HTML form which calls a PHP script which appends the data in some file on the server. 我能想到的最简单的事情是做一个调用PHP脚本的HTML表单,该脚本将数据附加到服务器上的某个文件中。 Easy to implement, but now I'm wondering if it's totally hackable. 易于实现,但现在我想知道它是否完全可以破解。 Is it? 是吗? Are there obvious better ways that are still simple? 还有明显更好的方法吗?
thanks 谢谢
f F
5 个解决方案
解决方案1
1 2010-06-17 17:53:01
It's all right, but you may find a full database or SQLite a better option. 没关系,但你可能会发现一个完整的数据库或SQLite是一个更好的选择。
Just make sure you put the file in a place that's not accessible to the other users (eg outside the web server root or in a protected directory), otherwise everyone would be able to see the comments. 只需确保将文件放在其他用户无法访问的位置(例如,在Web服务器根目录之外或受保护目录中),否则每个人都可以看到注释。
解决方案2
1 2010-06-17 17:54:26
There are a few things you could do. 你可以做一些事情。 First of all, since you're recording an email address, you could just use PHP's mail() function to send an email to somewhere centralized. 首先,由于您正在录制电子邮件地址,因此您可以使用PHP的mail()函数将电子邮件发送到集中的某个地方。
This sounds like a beta signup page, and a file would be ok if you don't have a database available. 这听起来像是一个beta注册页面,如果你没有可用的数据库,那么文件就可以了。 Just make sure that the file is stored outside of the served folder (above public_html, for example). 只需确保该文件存储在服务文件夹之外(例如,在public_html之上)。
Also make sure that you regex or clean the data so that someone can't use it as a zombie form for spamming. 还要确保您使用正则表达式或清理数据,以便某人不能将其用作垃圾邮件的僵尸表单。 Just cut off the email address input after the first \\r\\n and that will fix it. 只需在第一个\\ r \\ n之后切断电子邮件地址输入即可修复它。
解决方案3
1 2010-06-17 17:56:47
If you do decide to use a database (which I would, if you can: http://www.w3schools.com/PHP/php_mysql_intro.asp ), make sure you sanity check all of your data ( http://php.net/manual/en/function.mysql-real-escape-string.php ) before you insert it into the database. 如果您决定使用数据库(如果可以的话,我会这样做: http : //www.w3schools.com/PHP/php_mysql_intro.asp ),请确保您完整地检查所有数据( http:// php。 net / manual / en / function.mysql-real-escape-string.php )在将其插入数据库之前。
I would use a database as it makes it many times easier to analyse your data or even output in in a nice format on the page. 我会使用数据库,因为它可以更轻松地分析您的数据,甚至可以在页面上以漂亮的格式输出。
解决方案4
1 已采纳 2010-06-17 18:00:59
By hackable, do you mean could someone damage your file? 通过hackable,你的意思是有人会损坏你的文件? Or read it? 还是看了吗? Or...? 要么...? If I wanted to do what you said, I'd do this: 如果我想做你说的话,我会这样做:
<?php
if(isset($_POST['submit_button_name'])){
$email = htmlentities($_POST['email_address_field_name'], ENT_QUOTES);
$handle = fopen("email_list.txt", "a");
fwrite($handle, "\n".$email);
fclose($handle);
}
?>
<form> ... </form>
It would be private in the sense that someone wouldn't know where to find it, and safe because I've used the htmlentities() function to remove any possible XSS. 在某种意义上它会是私有的,因为我已经使用htmlentities()函数去除任何可能的XSS,因此有人不知道在哪里可以找到它。
解决方案5
0 2010-06-17 17:54:16
Whatever solution you choose (file, database, email, etc.), the safety will depend on the way you implement it: 无论您选择哪种解决方案(文件,数据库,电子邮件等),安全性都取决于您实施的方式:
- How are you filtering the input? 你是如何过滤输入的?
- How many submits do you permit per ip address? 每个IP地址允许多少个提交?
- etc. 等等
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.