填充下拉框时,php或javascript更安全

从填充HTML选择框的安全角度来看哪个更好?</ p>

选项A:PHP </ strong> </ p>

 &lt;?php echo“&lt; select name = \”empName \“id = \”empName \“class  = \“text \”style = \“width:10em; \”&gt;

“;?&gt;
&lt;?php包含'PHPscripts / getEmployeeNamesDB.php'?&gt;
&lt;?php echo” &LT; /选择&GT;

“个;?&GT;
</代码> </ PRE>

<强> getEmployeeNamesDB.php </强> </ p>

< pre> $ dropdown =“”; \ N $ tbl_name = “雇员”; //表名
$ result = mysql_query(“SELECT CONCAT_WS('',firstname,lastname)AS'tourname',empid FROM $ tbl_name ORDER BY lastname”)或die(“不能选择结果DB.php”);

while($ row = mysql_fetch_assoc($ result)){
$ empid = $ row [“empid”];

$ name = $ row [“wholename”];

$ dropdown。=“&lt; option value = \”$ empid \“&gt; $ name&lt; / option&gt;

”;

}
echo $ dropdown;
</ code> </ pre>

选项B:Javascript </ strong> </ p>

相同的信息除外 使用AJAX调用来填充javascript变量。 那么使用javascript来制作选择语句?</ p>

安全是我的主要关注点,但我也想知道你是否可以提出我应该考虑的任何其他问题。</ p>
</ DIV>

展开原文

原文

Which is better from a security standpoint when populating an HTML select box?

Option A: PHP

<?php echo "<select name=\"empName\" id=\"empName\" class=\"text\" style=\"width:10em;\">
";?>
<?php include 'PHPscripts/getEmployeeNamesDB.php'?>
<?php echo "</select>
";?>

getEmployeeNamesDB.php

$dropdown = "";     
$tbl_name="employee"; // Table name 
$result = mysql_query("SELECT CONCAT_WS(' ', firstname, lastname) AS 'wholename', empid FROM     $tbl_name ORDER BY lastname") or die("cannot select result DB.php");       
while($row = mysql_fetch_assoc($result)) {        
    $empid = $row["empid"];         
    $name = $row["wholename"];         
    $dropdown .= "<option value=\"$empid\">$name</option>
"; 
}  
echo $dropdown;

Option B: Javascript

Same information except use an AJAX call to populate a javascript variable. then use javascript to make select statement?

Security is my primary concern but I would also like to know if you can come up with any other concerns I should consider.

drutcs7210
drutcs7210 这两个都是一样的。有了AJAX,PHP还在后台运行吗?
大约 9 年之前 回复
du4010
du4010 我想不出任何具体的安全问题只是检查。有什么其他原因我应该使用一个而不是另一个?
大约 9 年之前 回复
dongzhanlu8890
dongzhanlu8890 这两种解决方案会遇到哪些安全问题?
大约 9 年之前 回复
duandanai6470
duandanai6470 我不确定我是否会在这里提出任何安全问题。你能解释一下你担心的情景吗?
大约 9 年之前 回复

4个回答



我在这里看到的唯一安全因素是,如果你选择AJAX路线,你还需要再处理一层。 使用PHP,它纯粹是服务器脚本之间的通信。 使用AJAX,您可以通过网络从最终用户浏览器进行通信,这可以是任何内容。 根据JS构建查询的方式,该用户可以根据需要使用您的JS并补充查询。</ p>
</ div>

展开原文

原文

The only security I see here is you have one more layer to deal with if you go the AJAX route. With PHP its purely a communication between your server scripts. With AJAX you have a communication from the end users browser over the network, which, can be anything. That user can use your JS if they want and supplement the query depending on how your JS builds that query.

dongyupen6269
dongyupen6269 感谢Ariel的帮助
大约 9 年之前 回复



当您尝试填充或生成输出时,没有任何安全问题,除非涉及以前的用户输入。 如果用户选择这样做,用户可以伪造POST请求并轻松包含您未包含在选择框中的选项。 </ p>

因此,当用户提交您应该关注安全性的数据时。 您应该在收到数据后始终验证数据,看它是否是有效选项。 例如:</ p>

 &lt;?php 
//生成菜单
$ choices = array('Eggs','Toast','Coffee');
echo “&lt; select name ='food'&gt;”;

foreach($ choices as $ choice){
echo“&lt; option&gt; $ choice&lt; / option&gt;”;
}

echo“&lt; ; / select&gt;“;

//然后,稍后,验证用户何时提交表单

(!in_array($ _ POST ['food'],$ choices)){
echo”你必须选择一个有效的选择 。“;
}
?&gt;
</ code> </ pre>

另外正如其他人所说,你应该使用PHP而不是JS,因为它可以更快,也适用于 那些让JS关闭的人。</ p>
</ div>

展开原文

原文

There are no security issues concerned when you are trying to populate or generate output, unless a previous user input is involved. The user can, if he chooses so, forge a POST request and easily include options that you have not included in the select box.

Therefore, its when the user submits the data that you should be concerned about security. You should always validate the data after you receive it to see if it is a valid option. For example:

<?php
// Generating the menu
$choices = array('Eggs','Toast','Coffee');
echo "<select name='food'>";

foreach ($choices as $choice) {
    echo "<option>$choice</option>";
}

echo "</select>";

// Then, later, validate when user submits form
if (! in_array($_POST['food'], $choices)) {
    echo "You must select a valid choice.";
}
?>

Also as others have noted, you should use PHP instead of JS as it could be faster and also work for those who have JS turned off.

dongsisui7562
dongsisui7562 也好点。 我正在验证客户端(javascript)和服务器端(PHP)的所有内容
大约 9 年之前 回复



在安全点上它们是相同的。 使用ajax可能更容易设计。</ p>
</ div>

展开原文

原文

On security point they are same. With ajax it may be more easy for design.



安全性没有区别,但选项a会更快,更简单。 它适用于关闭javascript的人。</ p>
</ div>

展开原文

原文

No difference for security, but option a will be faster, and simpler. And it will work for people who have javascript turned off.

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问