Questions about legality
按键盘手指磨破皮
按键盘手指磨破皮 2017-09-01 14:07:24
0
3
1771

I am a novice, and a security issue suddenly occurred to me when I was writing code today.

For various ajax requests, can hackers submit code externally? Because the JS file browser can see it, that is, it can know your code. So if a hacker uses our domain name to submit it externally, can PHP determine whether it is legal? For example, determine whether our own files were submitted?

For example, my js file has a code section

$('input').click(function(){
    $.post('index.php',{a:xx,b:xx},function(a){
        xxxxx
    })
})
那么如果黑客通过外部提交
xxxxxxxxxxx
$('input').click(function(){
xxxxxx
    $.post('http://www.xxxx.com/index.php',{a:xx,b:xx},function(a){
        xxxxx
    })
xxxxxx
})
xxxxxxxxxxx

How to write it in PHP to prevent it?

按键盘手指磨破皮
按键盘手指磨破皮

reply all(3)
MrSwan

Do you know more about CSRF?

phpcn_u22108

External submissions are normal and injection needs to be prevented through procedures.

ringa_lee

According to what you said, the data submitted by external ajax simulation is cross-domain.

You have multiple ways to deal with this. For example:

1. You can set access permissions. For example, only logged-in members can view it or limit the domain name. This will make it difficult for others to crawl. But this obstacle can always be overcome.

2. Use session to generate a token. Verify the session after submission. If it is legal, log out the session immediately to ensure that there is a new token every time.

3. Analyze access logs and restrict suspicious IP access from the server level.

4. Record the operation density of each IP. If it is more frequent, you can ask for verification codes from time to time.

...

There are many methods, but no one is the best. It is recommended to take a multi-pronged approach. Hope to adopt~

  • reply These methods don't feel very reliable... After using packet capture software to capture packets, these can be simulated. For example, sessions can be captured by accessing file returns. There are many IPs on the Internet, and they can be used. I feel that the most important thing to learn PHP is to prevent being hacked. My website is always hacked, coded, and illegally posted.
    按键盘手指磨破皮 author 2017-09-01 16:06:46
  • reply Got it, thanks for the answer
    按键盘手指磨破皮 author 2017-09-01 16:22:31
  • reply No method is absolute. There are too many security methods. You can focus on the server and adopt a two-pronged approach. Use all methods. If you take more protective measures, others will not be able to attack your site easily. And since you are not a very popular site, people can’t just sit around doing nothing all day, researching and thinking about attacking your site every day.
    ringa_lee author 2017-09-01 16:20:36
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template