防止隐藏的输入被改变-Preventhiddeninputfrombeingaltered

11  

Some ideas:

一些想法：

1. Server-side only. The easiest way to do this is to use session variables (like $_SESSION) so that all the data kept on the server side, but managing it and keeping separate tabs a user might have open separate can get a little tricky. This option prevents the user from seeing or editing the information.

   仅限服务器端。最简单的方法是使用会话变量（如$ _SESSION），以便保留在服务器端的所有数据，但管理它并保持用户可能单独打开的单独选项卡可能会有点棘手。此选项可防止用户查看或编辑信息。

2. Make the client carry an encrypted blob. Take all your "temporary but protected" data, combine it somehow (e.g. JSON) and then encrypt* the whole thing with a secret key known only to the server. Base64 the result and put that into the hidden field value. (Note that for a high-security application, you'll also want to work an HMAC into this process, which validates that the ciphertext hasn't been tinkered with.) This option also prevents the user from seeing or editing the information, but makes it easier to handle cases where one user has many tabs open.

   使客户端携带加密的blob。获取所有“临时但受保护”的数据，以某种方式将其组合（例如JSON），然后使用仅为服务器知道的密钥加密*整个事物。 Base64结果并将其放入隐藏字段值。 （请注意，对于高安全性的应用程序，您还需要将HMAC用于此过程，该过程验证密文未被修改。）此选项还会阻止用户查看或编辑信息，但可以更轻松地处理一个用户打开多个选项卡的情况。

3. Still use not-so-secret hidden input fields, but add an anti-tampering mechanism. So when the page is being generated, take all of your existing "protected" variables, combine them somehow with a server-side secret value, and hash [correction: HMAC] them. Store the hash in its own hidden field. Then after the user submits, you repeat the process and check if the hash matches. If it doesn't, have everything error with security-violation page.

   仍然使用不那么秘密的隐藏输入字段，但添加了防篡改机制。因此，在生成页面时，获取所有现有的“受保护”变量，将它们以某种方式与服务器端秘密值组合，并将它们哈希[更正：HMAC]。将哈希存储在自己的隐藏字段中。然后在用户提交后，重复该过程并检查哈希是否匹配。如果没有，请将安全违规页面的所有内容都包含在内。

*As with all cryptography, doing this the "right" way can be tricky and depends a lot on how you encrypt/verify. There are lot of pitfalls in terms of ciphers and cipher-modes etc.

*与所有加密技术一样，这样做“正确”的方式可能很棘手，并且很大程度上取决于您如何加密/验证。在密码和密码模式等方面存在很多陷阱。

Finally, remember that preventing people from modifying it doesn't mean a user can't copy everything and re-use it later or under another account, unless you take steps to include a "timestamp" etc.

最后，请记住，阻止人们修改它并不意味着用户无法复制所有内容并在以后或其他帐户下重复使用，除非您采取措施包含“时间戳”等。

10  

You can't. You can never, ever rely on user-submitted data. Even if you could prevent the user from modifying the DOM elements (which you can't), you could hardly stop them from submitting an HTTP request with cURL, wget or some other library with whatever fields they chose. Don't trust any data that is sent by the user.

你不能。您永远不能依赖用户提交的数据。即使您可以阻止用户修改DOM元素（您也不能），您很难阻止他们使用cURL，wget或其他一些库提交HTTP请求，无论他们选择哪个字段。不要相信用户发送的任何数据。

If you want to ensure that the value doesn't change, you'll have to store it on the server. PHP has an excellent feature that allows you to do this -- sessions. Store the data in a session, and the user will not be able to modify it, because it will be stored on your server and never transferred to or from the user themselves.

如果要确保值不会更改，则必须将其存储在服务器上。 PHP有一个很好的功能，允许你这样做 - 会话。将数据存储在会话中，用户将无法对其进行修改，因为它将存储在您的服务器上，并且永远不会传输到用户本身或从用户本身传输。

1  

If you are bent upon avoiding the server postback to validate input, you could base64 encode your hidden input and atleast make it harder for people out to tamper with it.

如果您一心想避免使用服务器回发来验证输入，那么您可以对隐藏的输入进行base64编码，至少让人们更难以篡改它。

1  

You can't. A rule to always remember that will save you a lot of thinking and design time. If the browser has it, its not secure.

你不能。永远记住这一规则将为您节省大量的思考和设计时间。如果浏览器有它，它不安全。