-4

我在我的新项目中广泛使用 JQuery 和 Javascript,包括表单验证,因为我不想使用 PHP 验证给服务器增加负担。因此,我限制在浏览器上禁用 Javascript 的人访问我的网站。我正在尝试使用元标记重定向它们:

<meta http-equiv="refresh" content="2; URL=../../enablejs.html">

我认为这是安全的,因为如果未启用 javascript,他们将无法访问我的网站。

但我仍然对此有疑问,需要您的建议。它完全安全吗?如果不是,我需要集中精力的领域是什么?

4

6 回答 6

9

这是一个可怕的、可怕的想法。

因为我不想使用 PHP 验证给服务器增加负担

你的意思是,你不想让自己承担实施它的负担:)

我可以联系起来。每个人都讨厌做两次事情。但是服务器端验证不是可以协商的额外费用;客户端验证可以很容易地绕过,只是为了用户方便。为了安全起见,始终需要服务器端验证。

除了这是一个坏主意之外,没有办法可靠地排除关闭 JavaScript 的用户。JavaScript 在客户端运行,它的存在或不存在很容易被服务器伪造。

于 2012-10-18T09:10:45.300 回答
7

客户端的任何东西都永远不安全。您总是需要服务器端验证。这不是“负担”,而是必需品。我什至不需要您的网站向您的服务器提交(未经验证的)数据,最终这一切都归结为 HTTP 请求。如果你不验证用户在服务器上所做的一切,你就没有安全性。

于 2012-10-18T09:11:07.360 回答
3

我在我的新项目中广泛使用 Jquery 和 Javascript,包括表单验证,因为我不想使用 PHP 验证给服务器带来负担。

这不应该减轻重大负担。不过,它应该可以更快地向用户提供反馈,这很好。

因此,我限制在浏览器上禁用 Javascript 的人访问我的网站。

That is a waste of time. The proportion of submissions in that which will be from users with JS disabled will be tiny.

I am trying to redirect them using meta tag

That's a very user hostile thing to do.

I assume that this is safe because if javascript is not enabled they will not be able to access my site.

If you mean that it avoids the need to write server side validation routines, then you are wrong. If someone wants to attack the site (rather then submit bad data by accident) then they can construct HTTP requests manually.

于 2012-10-18T09:11:27.563 回答
3

No that's not safe. Client side validations are nowhere safe. With javascript enabled anyone can bypass your validations. Using chrome console I can probably alter any text on your input boxes or any other input method without you validation noticing it.

Use server side validation or you're screwed.

于 2012-10-18T09:12:37.703 回答
3

No, this is not safe. Never rely on the browser for form validation. Form validation in the browser should only be to improve user experience, not to protect your data. You need to add some PHP validation.

Also, are people who have JavaScript disabled not supposed to use your site? You should make JavaScript degrade gracefully so that your site is still usable without it.

于 2012-10-18T09:13:23.477 回答
0

Using client side validation is a recipe for disaster "never ever trust clients input" clients inputs are GET (URL included), POST, FLash ...

All inputs should be validated by server side scripting language like PHP, ASP.net, java ... If you use PHP then check http://www.phpclasses.org/ and look for form validation scripts and Cross-site scripting (XSS). Or use validation classes offered in frameworks like zend, codeigniter

http://en.wikipedia.org/wiki/Cross-site_scripting

于 2012-10-18T09:20:55.597 回答