Laravel 保护表单隐藏字段和 url
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/29514902/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Laravel protect form hidden fields and url
提问by SkarXa
I have an edit made with blade to edit a resource, like this:
我使用刀片进行了编辑以编辑资源,如下所示:
{{Form::model( $post ,['action'=> ['PostController@update', 'id' => $post->id], 'method' => 'post'])}}
Which generates a form with action
生成带有动作的表单
http://example.com/posts/edit/123
And my fields, having text and hidden inputs
还有我的字段,有文本和隐藏的输入
Seeing this url, it's very easy for a bad-intentioned user to update other posts.
看到这个网址,恶意用户很容易更新其他帖子。
How can I protect the route to make it fail if the id is manipulated with the inspector? Is there any built-in wat to tokenize the id to make sure it matches? Can this also de applied to all the hidden inputs?
如果 id 被检查员操纵,我如何保护路线以使其失败?是否有任何内置的 wat 来标记 id 以确保它匹配?这也可以应用于所有隐藏输入吗?
Thanks
谢谢
EDIT:
编辑:
An example on my hidden fields usage: My posts are generally questions and answers, when an user tries to add an answer to a question, I set question_id as a hidden field, and I want to check it is not manipulated.
我的隐藏字段使用示例:我的帖子通常是问题和答案,当用户尝试为问题添加答案时,我将 question_id 设置为隐藏字段,我想检查它是否被操纵。
回答by Laurence
Limonte's answer is correct to secure the ability to edit other peoples posts - and you should always do that. To answer the second half of your question:
Limonte 的答案是正确的,以确保能够编辑其他人的帖子 - 您应该始终这样做。回答你问题的后半部分:
I set question_id as a hidden field, and I want to check it is not manipulated.
我将 question_id 设置为隐藏字段,我想检查它是否被操纵。
The problem is that you can nevertrust the data supplied by a client to your system. You must alwaysassume it has been tampered with.
问题是你永远不能相信客户端提供给你系统的数据。您必须始终假设它已被篡改。
One option to help minimizethe risk is you can use the encryption service by Laravelto do this:
帮助最小化风险的一种选择是您可以使用Laravel的加密服务来执行此操作:
{{ Form::hidden('question_id', Crypt::encrypt($question_id)) }}
Then in your controller
然后在你的控制器中
$question_id = Crypt::decrypt(Input::get('question_id'));
Just make sure you've set a random application encryption key in your app.phpconfig file
只需确保您在app.php配置文件中设置了一个随机的应用程序加密密钥
回答by Limon Monte
To protect route you should check permission in PostController@update.
为了保护路线,您应该在PostController@update.
In the method beginning check if user can edit given post:
在方法开始检查用户是否可以编辑给定的帖子:
public function update($postId)
{
$post = Post::findOrFail($postId);
if ($post->user_id !== Auth::id()) {
abort(403, 'Unauthorized action.');
}
// validate, update record, etc.
}
