duanchouyi6730 2012-10-18 16:39
浏览 35
已采纳

非注册提交,安全问题

I've created a simple script that allows a user to post a message, question or discussion on my site. I've not got anything online yet so I can't show you, but one thing I don't want is registration.

I want a simple, streamlined and quick way for anybody to come on to my site and post a message, to which others can respond (also without registration).

My question is about security. I've made it so that a person may edit their own message only if the following conditions are met:

  1. The IP address ($_SERVER['REMOTE_ADDR']) matches the one used to ask the question (I store it in the database).
  2. No more than 20 minutes have elapsed.

I want to know how easy this would be to break, and how I can make it stronger. I'm an absolute newby when it comes to security and I'll state now I have no real interest in this side of development, I'm more of a client/server developer, but my strong point is JavaScript.

I'm not too clued up on networking either. How easy is it to spoof an IP address and also how common is it to find two users with identical addresses? I am thinking about making a session ID which will be stored in a temporary database as a third clause that must exist in order for edits to take place. Of course this means users will not be able to leave the site and come back to edit.

Could anyone give me some advice on the best way to proceed?

Note: I want to make it clear that I absolutely do not want registration, which would eliminate this problem entirely. I want a free to use, public site that anyone can simply come along and use.

Note 2: I've also taken care of the bot problem with a simple piece of JavaScript requiring the user to interact with the site (quicker than CAPTCHA), so no worries here.

Kind regards.

  • 写回答

4条回答 默认 最新

  • duanjucong3124 2012-10-18 16:43
    关注

    AFAIK your approach is correct, and you could combine it with a cookie to avoid the multiple-users-on-same-ip problem (of course state this on your site).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题