0

我正在构建一个示例服务器,以便我可以学习 PHP,并且想知道这是否是保护我的数据库的好方法。本质上,我发送的是我自己的 API 密钥。这甚至做任何有用的事情,还是很容易克服。

如果这很可怕,那么解决这个问题的标准方法是什么?

下面是php文件

<?php
//Check if insert function exists
$apiKey = "6dM7V0n5GqYJLTMibQDf2gA2a94h8hbF";

if(function_exists($_GET['insert']) && ($_GET['key'])==$apiKey) {

    $id = $_GET['id'];
    $first=$_GET['first'];
    $last = $_GET['last'];

    //If found, call the function inser with value as a parameter
   $_GET['insert']($id,$first,$last);
}
?>

Web 请求看起来像(来自 iOS 应用程序);

    NSURL*url=[NSURL URLWithString:@"http://localhost/Tutorials/index.php?insert=insert&id=9000&first=YOOOO&last=LOOOO&key=6dM7V0n5GqYJLTMibQDf2gA2a94h8hbF"];

    //URL request
    NSURLRequest*request=[NSURLRequest requestWithURL:url];

    //Set the connection
    connection = [NSURLConnection connectionWithRequest:request delegate:self];

    if (connection) {
        webData=[[NSMutableData alloc]init];
    }
4

2 回答 2

1

为了证明它是多么不安全,我可以请求这个页面:

http://example.com/yourpage.php?insert=exec&id=rm+-rf+%2F&key=6dM7V0n5GqYJLTMibQDf2gA2a94h8hbF

Unless some configuration blocks it, this will wipe your server's drive as much as PHP has access to it (which will probably be your entire website)

Instead, you should create a list of valid functions, and refer to them by ID. Store the functions in an array, and get the index pointed to by a GET parameter.

于 2013-03-29T22:35:59.330 回答
0

是的,这不安全,您可以强制客户端进入 HTTPS 连接,或者使用某种双向加密,因为这种方式非常不安全。

看看这里:

http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/

于 2013-03-29T22:28:42.213 回答