问题描述

在我知道如何保护上载图像后将表单输入字段绕过上传不需要的文件我想举另一个例子，其中有2个文件被隐藏，其中一个被隐藏.

After i knew how to secure upload image Bypassing forms input fields to upload unwanted files i would like to give another example of from with 2 filed, one of them are hidden.

SQL表(ID，名称，作业，编号)

SQL Table (id,name,jod,number)

CREATE TABLE `users` (
  `id` bigint(20) unsigned NOT NULL auto_increment,
  `name` varchar(255) default '0',
  `job` varchar(255) default NULL,
  `number` varchar(255) default NULL
) ENGINE=MyISAM DEFAULT CHARSET=utf8;

表格代码(支持成员将编辑自己的信息)

Form Code (support member will edit own informations)

<form action="send.php" method="post" name="send" id="send">
 <input type="text" name="name" id="name" value="John"/>
 <input type="text" name="job" id="job" value="Plumber"/>
 <input type=hidden name="number" id="number" value="1234"/>
 <input type="Submit" name="Submit" value="Submit"/>
</form>

后来有一个firefox扩展程序可以绕过服务器端绕过检查的不同输入，并且可能造成很多损坏，因此在这里它可以停止整个过程，并使您能够编辑隐藏表的值number导致value="1"之类的任何信息，导致成员的更新信息具有value number 1.

Later there was an firefox extension that can bypassing different input to the server-side bypassing checking and might case a lot of damage so here it can stop the whole process and makes you able to edit the value of hidden table number to any such as value="1" causing update information for member have that value number 1.

该扩展名的工作方式如下，它可以在输入数据传递到服务器端之前对其进行伪造.

That extension is working as following, It can fake input data before it passed to server side.

PHP代码Send.php

if(isset($_POST['send'])){  

$name   = mysql_real_escape_string($_POST[name]);
$job    = mysql_real_escape_string($_POST[job]);
$number = mysql_real_escape_string($_POST[number]);

$sql= "update users SET name='$name',job='$job' WHERE number='$number'";
       mysql_query($sql) or die("query failed: $sql".mysql_error());

echo "Update Done";

} else { 
echo "Nothing to update";
}

问题那么如何保护这种简单形式不受这种输入形式的影响呢? 〜谢谢

The questionHow then to protect this simple form from such input form ? ~ Thanks

这个问题真的很痛苦，因为它使我的网站免费被黑客入侵了:)

this problems really hurts cause it made my website free to be hacked :)

推荐答案

如果用户授权不是您的选择，则可以尝试以下方法:

If the user authorization is not an option in your cause, you could try the following techniques:

• 将隐藏字段设置为带有一些其他信息的数字哈希值
• 在隐藏字段中设置加密的数字(可能在此处添加盐也可以提高安全性)

当然，在发送表单HTML并验证帖子信息时，它会添加额外的步骤，但至少对于攻击者而言，在帖子上伪造有效数字会更加困难.尽管除非明智地使用带有隐藏字段的加盐信息，否则如果攻击者知道其他用户的加密/哈希数并不会节省您的时间.

Of course it would add extra steps when sending the form HTML and validating the post information, but at least it would be much harder to the attacker fake a valid number on the post. Although it would not save you if the attacker knows the encrypted/hashed number of a different user unless the salted information withing the hidden field is used wisely.

这篇关于带隐藏字段的输入表单如何保护它的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！