Drupal-保护表单数据免遭篡改
[英]Drupal - Protect form data from tampering
问题描述
function simple_form($form_state) {
$form['item'] = array('#type' => 'hidden', '#value' => 'some_value');
$form['#action'] = 'http://external-website.com/';
$form['submit'] = array(
'#type' => 'submit',
);
return $form;
}
Simple Drupal form, gets called with drupal_get_form(simple_form) . 
简单的Drupal表单,可通过drupal_get_form(simple_form)调用。
Unfortunately, it is really easy to change the value of 'item' to something else in the form, and then send that value to the external site. 不幸的是,将“ item”的值更改为表单中的其他内容,然后将该值发送到外部站点确实很容易。
As far as I tried, there is no way to check the form before it leaves my site. 据我所试,在离开我的网站之前无法检查表单。
function simple_form_validate() and submit never get called. function simple_form_validate()和提交永远不会被调用。
How can I prevent that? 我该如何预防? Set the action to an internal function and then submit it after validating? 将操作设置为内部函数,然后在验证后提交? How would I go about that? 我将如何处理?
Unfortunately, setting 不幸的是,设置
$form['item'] = array('#type' => 'value', '#value' => 'some_value');
doesn't work? 不起作用? The external site doesn't receive the value for 'item'. 外部网站未收到“ item”的值。
Any advice? 有什么建议吗?
1 个解决方案
解决方案1
1 已采纳 2010-10-05 12:12:39
It is either/or. 是/或。 and that has nothing to do with Drupal, but with the nature of HTTP POST. 与Drupal无关,但与HTTP POST的性质有关。
Either you use #type=>value and Drupal maintains its storage outside of the form, inside of Drupal, trough a session, Or you post to external, in which case that internal session storage cannot help. 您要么使用#type => value,要么Drupal在表单外部,Drupal内部,通过会话维护其存储,或者您发布到外部,在这种情况下,内部会话存储将无济于事。
Drupals security system in the Form API relies on the fact that Drupal "knows" the exact form itself and therefore can avoid incorrect values, by comparing them to the original form. Form API中的Drupals安全系统依赖于这样的事实:Drupal会“知道”准确的表单本身,因此可以通过将其与原始表单进行比较来避免使用不正确的值。 An external site knows nothing about the original form, and therefore knows nothing about how to validate it. 外部站点对原始表单一无所知,因此对如何验证原始形式一无所知。
You will need to perform validation on the end of the receiver of the POST (that external site), nothing else will be secure (enough). 您将需要在POST接收方(该外部站点)的末端执行验证,没有其他方法可以保证安全(足够)。
That validation could be a local script running on the remote site, wich simply validates against whitelists or regular expressions. 该验证可以是在远程站点上运行的本地脚本,只需要针对白名单或正则表达式进行验证。 Alternatively, that remote site could request (eg over HTTP-SOAP, or XMLRPC) the form on the original Drupal-site, but that is going to be pretty hard to achieve. 或者,该远程站点可以请求(例如,通过HTTP-SOAP或XMLRPC)原始Drupal站点上的表单,但这将很难实现。
A third alternative, and IMHO the simplest, is to let Drupal handle the entire form locally, and if validated process it in the submit hook. 第三种方法,也是最简单的恕我直言,是让Drupal在本地处理整个表单,如果经过验证,则在Submit钩子中对其进行处理。 In there, you can either post the values to the remote site in a secure way, or you can simply stick it in the database or some spool-system of that remote site. 您可以在其中以安全的方式将值发布到远程站点,也可以将其简单地粘贴到该远程站点的数据库或某些后台处理系统中。 In any case: in the submit hook, after Drupal validated the form, you push it on to the remote site. 无论如何:在提交钩子中,在Drupal验证表单之后,将其推送到远程站点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.