问题
How do I protect the url from a user changing one of the param/value pairs?
Thanks.
回答1:
You can add an HMAC hash of the querystring using a secure random key stored only on the server, then verify the hash on every request.
回答2:
You can't.
You need to validate them. You should make sure your page accepts only valid input for each of the parameters. "Valid" may mean many things, like "Does the user have access to view this" and so on.
回答3:
You could encrypt them or hash them and persist the real value cross request.
回答4:
You can't. It's by definition an external interface. If your system's security depends on this, you should re-think how it's done.
回答5:
Protect it and prevent from changing are two different things. You can't prevent them from changing it, but you can protect/verify.
来源:https://stackoverflow.com/questions/3910566/how-to-stop-user-from-changing-querystring