我们应该将数据验证放在网站的什么位置?
[英]Where should we put data validation in a website?
问题描述
I have looked through many threads and/or questions on the internet looking for a clear answer but so far havn't gotten any. 
我浏览了互联网上的许多帖子和/或问题,寻找明确的答案,但到目前为止还没有得到任何答案。
A part of the question was already answered (unless you tell me it is wrong). 问题的一部分已经得到回答(除非您告诉我这是错误的)。 Data validation should be done client side AND server side. 数据验证应在客户端和服务器端进行。 Client side to notify the user of data who is invalid and to offload the server and as well on the server to prevent any kind of attacks. 客户端通知无效数据的用户,并卸载服务器以及服务器上的负载,以防止任何形式的攻击。
Validating on both sides can be a tedious task though and I wondered if there was some way to do it so that you don't have so much duplicated code. 双方进行验证可能是一项繁琐的任务,我想知道是否存在某种方法可以使您不必重复太多代码。
There is also something else I was wondering...I have a table with rows who contain the id (of the database) of that row. 我还想知道还有其他事情...我有一个表,其中包含包含该行(数据库的ID)的行。 At the end of each row I have a delete button to delete it from the html, my JSON object who contains an array of my values and who is sent to an ajax call to be deleted from the database (a link between 2 tables). 在每一行的末尾,我都有一个删除按钮以将其从html对象中删除,该对象是我的JSON对象,其中包含我的值数组,并且将其发送到ajax调用以从数据库中删除(2个表之间的链接)。
This isn't safe (well in an unsafe environment like the internet) and I know it. 这是不安全的(在互联网这样不安全的环境中也是如此),我知道。 I can always check client side to see if the id is only numbers and if so then check server side if it exists. 我总是可以检查客户端以查看ID是否仅是数字,如果是,则请检查服务器端是否存在。 But who tells me the user did not go in the debugger and inverted 2 lines and end up deleting rows who should not be? 但是谁告诉我用户没有进入调试器并颠倒了两行并最终删除了不应该删除的行呢? What would be the best way to have my ids and be safe from people inverting them? 拥有我的ID并防止他人对其进行转换的最佳方法是什么?
Any suggestions appreciated 任何建议表示赞赏
3 个解决方案
解决方案1
3 已采纳 2012-08-02 14:31:56
Data validation should be done client side AND server side.
It is not really needed to do it client side IMHO. 客户端IMHO并不需要这样做。 But it is nice to be able to notify the user before submitting the data. 但是能够在提交数据之前通知用户是很好的。 So I would call it a pre. 所以我称它为pre。
Validating on both sides can be a tedious task though and I wondered if there was some way to do it so that you don't have so much duplicated code.
Because PHP is serverside and javscript is clientside it isn't really easy to prevent duplication of code. 因为PHP是服务器端的,而javscript是客户端的,所以防止重复代码并不是一件容易的事。 There is one way that I know of however using xhr requests . 我知道有一种方法可以使用xhr请求 。 This way you can use the php validation in javascript (clientside). 这样,您可以在javascript(客户端)中使用php验证。
At the end of each row I have a delete button to delete it from the html
Please tell me you are using CSRF protection . 请告诉我您正在使用CSRF保护 。 :-) :-)
I can always check client side to see if the id is only numbers and if so then check server side if it exists.
To prevent malicious sql injected you should use prepared statements and parameterized queries . 为了防止恶意SQL注入,您应该使用准备好的语句和参数化查询 。
解决方案2
2
Validation should always be done on server . 验证应始终在服务器上进行 。 Client-side validation is for user convenience only and is not strictly necessary from the security point of view (except when it opens a XSS security hole). 客户端验证仅是为了用户方便,从安全的角度来看并不是严格必需的(除非它打开了XSS安全漏洞)。
Apart from that, you should sanitize every input you receive from user. 除此之外,您应该清理从用户那里收到的每个输入 。 After the input has passed a sanity check (for example if there is text where there should be a number), you should do a permission test ( Does the user have the appropriate permission to perform an action that is requested? ) 输入通过完整性检查后(例如,如果在文本中应该有一个数字),则应该进行权限测试( 用户是否具有执行所请求操作的适当权限? )
After you have done this, you can actually execute the transaction. 完成此操作后,您就可以实际执行事务了。
解决方案3
0 2012-08-02 14:44:11
Since other answers have already been posted, i would recommend that you dedicate a utility class that you can call Utility and where you would store many useful functions to check data type & content in the server side, that way even if you'll be doing some great verifications on both client and server side, at least your code will be more readable and manageable. 由于已经发布了其他答案,因此我建议您指定一个实用程序类,您可以调用该实用程序,并在其中存储许多有用的函数来检查服务器端的数据类型和内容,即使您这样做在客户端和服务器端进行了一些出色的验证,至少您的代码将更具可读性和可管理性。
Another benefit of creating and managing your own utility classes is that you can easily use them across all your projects. 创建和管理自己的实用程序类的另一个好处是,您可以轻松地在所有项目中使用它们。
For example, a utility class can contain methods ranging from verifying that a certain field is within a specific range of values, or that it doesn't contain special characters (use Regular Expressions) and so on ... Your advanced utility method would focus on preventing scripts insertion, sql injections as mentionned before. 例如,实用程序类可以包含的方法范围包括验证某个字段是否在特定值范围内,或者不包含特殊字符(使用正则表达式)等等……您的高级实用程序方法将专注于关于防止脚本插入,SQL注入如前所述。
All in all, you'll do the work once and benefit from it all the time, i'm sure you no want to start checking if an age field is negative or whatever on every project you do from scratch. 总而言之,您将一次完成工作并从中受益,我敢肯定您不想开始检查年龄字段是否为负数,或者您从头开始进行的每个项目中的任何内容。 Using Ajax and XHR can be a bridge between your server side and client side code and would help you unifiy your validation and avoid duplication. 使用Ajax和XHR可以成为服务器端代码和客户端代码之间的桥梁,并且可以帮助您统一验证并避免重复。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.