PHP安全:将POST发送到相同的URL =坏?

昨天我对一个问题的回复是关于使用重定向后 - 获取模式,如下所示:</ p>

  if(isset($ _ POST ['Submit'])){
//阻止重发数据
标题(“位置:”。$ _SERVER ['PHP_SELF']);
}
</ code> < / pre>

有人回复:从Javascript,没有AJAX或表单向同一个PHP页面发送数据 </ p>


对于Web安全而言,这对于网络安全来说非常重要 无法通过简单的URL发送POST。</ p>
</ blockquote>

现在我想知道这有什么问题? 我想避免在确认消息中使用单独的页面,因为它只是打破了用户体验,而且从设计POV开始就是不行。</ p>
</ div>

展开原文

原文

I had a response on a question yesterday about sending POST data to the same page with the Post-Redirect-Get pattern like this:

if (isset($_POST['Submit'])) {
    // prevent resending data
    header("Location: " . $_SERVER['PHP_SELF']);
}

Someone replied: sending data to same PHP page from Javascript, no AJAX or forms

It is extremely important for the purposes of web security that a POST cannot be sent via a simple URL.

Now I would like to know what is wrong with this? I want to avoid using a separate page with the confirmation message, because it just breaks the user experience and from a design POV it is a no-go.

douniangliao4327
douniangliao4327 当然,但我最好再问一下init?
接近 10 年之前 回复
doutong6814
doutong6814 对SO的声誉并不意味着那么多......(截至本文写作时为25K);)
接近 10 年之前 回复
dougong7850
dougong7850 这里是链接:stackoverflow.com/questions/4016968/...人员有26K的声誉。
接近 10 年之前 回复
duanjia1865
duanjia1865 我不确定当他们说POST很重要时,我不明白这个人的意思是不能通过“简单”的URL发送。
接近 10 年之前 回复

3个回答




对于网络安全的目的而言,无法通过简单的方式发送POST
非常重要 URL。</ p>
</ blockquote>

我认为这个人可能误解了你或网络安全。</ p>

没有任何问题 对不同的请求方法使用相同的URL( GET </ code>, POST </ code>, PUT </ code>, DELETE </ code>, HEAD < / code> etc)。 事实上,这是一个非常好的主意。</ p>
</ div>

展开原文

原文

It is extremely important for the purposes of web security that a POST cannot be sent via a simple URL.

I think the person who said this might have misunderstood either you or web security.

There's nothing wrong with using the same URL for different request methods (GET, POST, PUT, DELETE, HEAD etc). In fact, it's a very good idea.

duanjiao5082
duanjiao5082 +1 ......事实上,RESTfulness应该如何运作。
接近 10 年之前 回复
douduoting8408
douduoting8408 我添加了链接
接近 10 年之前 回复




对于Web安全而言,无法通过简单的URL发送POST是非常重要的。</ p>
</ blockquote>

我更倾向于解释这句话,即同一URL上的GET请求不应该与POST请求相同。 所以检查 $ _ REQUEST ['submit'] </ code>而不是隐式检查 $ _ POST ['submit'] </ code>或 $ _ SERVER ['REQUEST_METHOD'] </ code> 可能是违规行为。</ p>

也许作者也意味着表单使用了一些一次性身份验证令牌,因此只允许经过身份验证的请求。</ p>
</ div>

展开原文

原文

It is extremely important for the purposes of web security that a POST cannot be sent via a simple URL.

I rather interpret this sentence that it should not be possible that a GET request on the same URL does not cause the same as a POST request. So checking for $_REQUEST['submit'] instead of implicitly checking $_POST['submit'] or $_SERVER['REQUEST_METHOD'] could be a violation.

Maybe the author did also mean that the form uses some one-time authentication token so that only authenticated requests are permitted.



似乎回复者没有想到他的回应。 我想他会认为使用$ _SERVER [“PHP_SELF”]会出现一些安全问题,但在这种情况下我看不出怎样。</ p>

如上所述,有 让同一个URL处理不同的请求没什么不对。</ p>

也就是说,我仍然从表单中分离出确认消息。 我认为没有理由不这样做。 验证和错误消息仍然可以在表单视图上发生,但只是让很多条件确定你应该显示确认消息,表单或错误消息似乎(IMO)你得到了很多混乱的代码。</ p>
</ div>

展开原文

原文

It seems like the replier didn't think his response through. I would imagine he was thinking there would be some security issues by using $_SERVER["PHP_SELF"], but I can't see how in this case.

As already mentioned, there is nothing wrong with letting the same URL handle different requests.

That said, I still seperate the confirmation message from the form. I see no reason as to why I shouldn't. Validation and error messages can still occur on the form view, but just letting a lot of conditions determine wether you should show the confirmation message, the form or error messages seems like (IMO) your'e getting a lot of messy code.

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问