问题
I am developing a simple web apps that allowed user to key in information using a form when I discovered I could edit that form's input default value using Chrome -> Check Element and submit the page with a different hacked value.
Code:
<input id="radioOk_100237" name="radio_100237" type="radio" checked="" value="0">
As normal, I load the page then using Google Chrome Check Element, I targeted this checkbox and changed the value to "9" before submitting it, in my background page, it reads "9" instead of pre-set value of "0" from this input element.
If every user changed the value and submit, it will completely thrashed my DB. How is this possible and am I supposed to encrypt the page or do something prior to submitting? I am totally lost, btw I am using PHP.
回答1:
For typical users, you can just add the attribute readonly to the form field(s).
For more advanced users/hackers that try to manipulate your server, you need to validate every piece of data that is submitted to ensure that tampering is caught and rejected. There is no client-side technique for this that is tamper-proof.
回答2:
You need to be doing server-side validation, to make sure the values you get from your client app make sense. If you know that a value of "9" will "thrash your DB", don't accept values of 9 from the client.
Obligatory XKCD link: http://xkcd.com/327/
回答3:
You can't prevent users from modifying, adding or removing elements in the DOM. If you want that kind of control you should store the values of the elements you are outputting in an object and then compare what's coming in with the form post.
There are a million ways of doing this, if you want to ill post an example
回答4:
You could check for the correct kind of value in the server side. In fact you should check every data send from the client side to prevent an attack
来源:https://stackoverflow.com/questions/6168422/html-how-to-prevent-user-from-editing-forms-value