PHP - 隐藏 url (GET) 参数
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24459984/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP - hide url (GET) parameters
提问by Emir Memic
I have a link in my PHP/HTML like this:
我的 PHP/HTML 中有一个这样的链接:
<a href="http://search.mywebsite.com/login.aspx?checktype=uid&user=adam&password=pass1234&profile=dart&defaultdb=kts"> Log me into this website </a>
When users click on the link, the parameters are handled by a 3rd party website which log the users in seamlessly.
当用户点击链接时,参数由第三方网站处理,用户无缝登录。
Is it possible to hide/mask/camouflage the url so that users don't see the parameters while still passing them over to the designated site?
是否可以隐藏/屏蔽/伪装网址,以便用户在将参数传递到指定站点的同时看不到参数?
If no, how would you guys go about this? I'm mainly worried about the user and password params and need those hidden. (user=adam&password=pass1234)
如果没有,你们会怎么做?我主要担心用户和密码参数并需要隐藏这些参数。(用户=亚当&密码=pass1234)
The only way i know how to hide params is when using a form post method but in this case it is not an option because im working with a direct link.
我知道如何隐藏参数的唯一方法是使用表单发布方法,但在这种情况下,它不是一个选项,因为我使用的是直接链接。
EDIT:To those who keep suggesting using a POST method, this is not an option because I'm not using a form and the receiving website is out of my control. I'm logging in from one site to another (3rd party) website
编辑:对于那些一直建议使用 POST 方法的人,这不是一个选项,因为我没有使用表单并且接收网站不在我的控制范围内。我正在从一个站点登录到另一个(第 3 方)网站
回答by cOle2
Your only option is to use a form and POST if the page your are logging into is controlled by a 3rd party:
如果您登录的页面由第 3 方控制,您唯一的选择是使用表单和 POST:
<form action="http://search.mywebsite.com/login.aspx" method="post">
<input type="hidden" name="checktype" value="uid" />
<input type="hidden" name="user" value="adam" />
<input type="hidden" name="password" value="pass1234" />
<input type="hidden" name="profile" value="dart" />
<input type="hidden" name="defaultdb" value="kts" />
<input type="submit" value="Log me into this website" />
</form>
EDIT: If it must be a link and javascript can be required then you can use javascript to create and submit a form on the fly:
编辑:如果它必须是一个链接并且可能需要 javascript,那么您可以使用 javascript即时创建和提交表单:
<a href="#" onclick="postLogin()">Log me into this website</a>
<script type="text/javascript">
function postLogin() {
var form = document.createElement("form");
form.setAttribute("method", "post");
form.setAttribute("action", "http://search.mywebsite.com/login.aspx");
var params = {checktype: 'uid', user: 'adam', password: 'pass1234', profile: 'dart', defaultdb: 'kts'};
for(var key in params) {
if(params.hasOwnProperty(key)) {
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", key);
hiddenField.setAttribute("value", params[key]);
form.appendChild(hiddenField);
}
}
document.body.appendChild(form);
form.submit();
}
</script>
回答by Sates
Don't use $_GET to pass any personal, confidential or crucial data. Use $_POST instead.
不要使用 $_GET 传递任何个人、机密或关键数据。改用 $_POST 。
I don't know what stops you from using $_POST but if you insist on using it anyway, try md5() to code these data and validate them when necessary. You can always use $_SESSION to pass $_POST login data for further use.
我不知道是什么阻止了您使用 $_POST 但如果您仍然坚持使用它,请尝试 md5() 对这些数据进行编码并在必要时对其进行验证。您始终可以使用 $_SESSION 传递 $_POST 登录数据以供进一步使用。
回答by Justjyde
Agree on and encryption/hash approach (MD5 for example). Then have a reprocessing page that decrypts the message before calling the required script. I'm doing this in php... Just to show you the idea.
同意加密/散列方法(例如 MD5)。然后有一个重新处理页面,在调用所需的脚本之前解密消息。我在 php 中这样做...只是为了向您展示这个想法。
eg. www.mydomain.com/preporcessor.php?request=qouiapfiwe0i9qrr9qyy83r34rqejl
例如。www.mydomain.com/preporcessor.php?request=qouiapfiwe0i9qrr9qyy83r34rqejl
preprocessor.php (pseudo code)
preprocessor.php(伪代码)
$request = $_REQUEST["request"];
$decrypted = mydecryptfunction($request);
//$decrypted will now contain: targetpage=login.php?username=abc&password=34453js&location=ABJ...
//Now you can route the parameters to login.php.
Note that mydecryptfunction($request) is a function you will create.
请注意 mydecryptfunction($request) 是您将创建的函数。
回答by markoj
You can use iframe with URL of the page and style it to fill parent and remove border.
您可以将 iframe 与页面的 URL 一起使用,并为其设置样式以填充父级并删除边框。
<!DOCTYPE html>
<html>
<body>
<iframe id="win" src="bookmarks_3_22_20.html" frameborder="0">
</iframe>
<script>
this.onload=function(){
document.getElementById("win").style="width:"+window.innerWidth+"px;height:"+window.innerHeight+"px;";
}
</script>
</body>
</html>
回答by gustavormello
You can't do this using the GET method. It would be helpful if you gave us more information. Are you trying to get a user from your site to log into another website? In that case, they might have an API for that which you could check.
您不能使用 GET 方法执行此操作。如果您向我们提供更多信息,将会有所帮助。您是否试图让用户从您的网站登录到另一个网站?在这种情况下,他们可能有一个 API 供您检查。
回答by Shubanker
You can generate tokens for this functions: in your database generate an random string: This is an function which returns an random string
您可以为此函数生成令牌:在您的数据库中生成一个随机字符串:这是一个返回随机字符串的函数
function gt_rnd_str($min=2,$max=9){
$str="";
while (strlen($str)<$max)
$str.=rtrim(base64_encode(md5(microtime())),"=");
return substr($str, 0, rand($min, $max));
}
now save an token with username/id and using this you can easily generate more tokens for same user as well as cancel any token easily..
现在保存一个带有用户名/id 的令牌,使用它你可以轻松地为同一用户生成更多的令牌以及轻松取消任何令牌..
回答by Polynomial
A login should be done via POST, not GET. Furthermore, sensitive details should be sent via HTTPS.
登录应该通过 POST 完成,而不是 GET。此外,敏感详细信息应通过 HTTPS 发送。
The process of creating secure login functionality could have an entire book written about it, so I suggest you start out by reading the definitive guide to web-based forms authentication.
创建安全登录功能的过程可能需要写一整本书,因此我建议您从阅读基于 Web 的表单身份验证的权威指南开始。
If you have further specific questions about security, I suggest you try over at Security.SE.
如果您对安全性有进一步的具体问题,我建议您在Security.SE 上尝试。
