I read some post how to encrypt data over post HTML with PHP. But I can't really figure out how it must be done.
我读了一些帖子,介绍了如何使用PHP在后HTML上加密数据。但我无法弄清楚它是如何完成的。
I explain my easy example.
我解释一下我的简单例子。
I have a dashboard where users can see their installations. Think about lots of installations and each one belongs to different users. Some has one installation some has five installation.
我有一个仪表板,用户可以看到他们的安装。想想很多安装,每个安装都属于不同的用户。有些有一个安装,有些有五个安装。
The fact is that i develop a button to download Excel info from their installation.
事实上,我开发了一个按钮,可以从他们的安装中下载Excel信息。
I've done a contactosDownload.php that $_GET['idInstalacion'] so on the main dashboard the button looks like:
我已经完成了一个$ _GET ['idInstalacion']的contactosDownload.php,所以在主仪表板上按钮看起来像:
<a href="contactosDownload.php?idInstalacion=
<? echo $idInstalacionPOST ?>"
class="btnDownload btn-success btn btn-info pull-left">
<i class="fa fa-download"></i> Descargar
</a>
It is working perfectly and when the button is pressed the contactosDowload gets idInstalacion and does a mysql select and then an Excel with the information of the instalation is downladed. PHPExcel does the job perfectly.
它工作正常,当按下按钮时,contactosDowload获取idInstalacion并执行mysql选择,然后使用安装信息下载Excel。 PHPExcel完美地完成了这项工作。
Even because this users that has three installations can select one of this installations and info is updated with Ajax I have a jquery update:
即使因为有三个安装的用户可以选择其中一个安装,并且使用Ajax更新信息,我有一个jquery更新:
$('#InstaSelect').change(function(e) {
e.preventDefault();
.....
$('.btnDownload').attr("href", "contactosDownload.php?idInstalacion="+idInstalacion);
....
});
That is working as well.
这也很有效。
Like all of you are thinking send the id is not really clever idea. Even because if someone get the link can start to retrieve data with:
就像你们所有人都在想的那样发送id不是很聪明的主意。即使因为如果有人获得链接可以开始检索数据:
http://www.aaaaa.com/contactosDownload.php?idInstalacion=1
http://www.aaaaa.com/contactosDownload.php?idInstalacion=2
and so one.
等等。
What is the best choice to uncrypt and decrypt the information and make secure the post info ?
解密和解密信息并确保帖子信息安全的最佳选择是什么?
Thanks
EDIT:
I forgot to tell that the users are authorized whith their user and password. And I store with var session all the user when they loggin.
我忘了告诉用户是用他们的用户和密码授权的。并且我在登录时将所有用户与var会话一起存储。
$user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
$dbid = preg_replace("/[^0-9]+/", "", $dbid); // XSS protection as we might print this value
$_SESSION['user_id'] = $dbid;
$_SESSION['login_string'] = hash('sha512', $tContra.$user_browser);
$_SESSION['ultimoAcceso'] = date("Y-n-j H:i:s");
$_SESSION['tTipoUsuLogged'] = $tTipo;
$_SESSION['tRolUsuLogged'] = $tRolUsuario;
$_SESSION['tEmail'] = $tUseNam;
and each php has (include 'validateSesion.php') that validates the user and tiemout.
每个php都有(包括'validateSesion.php')来验证用户和tiemout。
So now I introduce this validation on the contactosDownload and if the user is not identified /index.php (login) appears.
所以现在我在contactosDownload上引入这个验证,如果没有标识用户,则会出现/index.php(登录)。
First level got.
第一级得到了。
Now i have to encode the id on the post and check that the user form the SESSION has privileges to download the installation.
现在我必须对帖子上的id进行编码,并检查SESSION的用户是否有权下载安装。
What about to encryp'/decrypt id with:
如何使用以下方法加密'/ decrypt id:
function encryptor($action, $string) {
$output = false;
$encrypt_method = "AES-256-CBC";
//pls set your unique hashing key
$secret_key = 'long logn text secret';
$secret_iv = '1a2b3c4d5e';
// hash
$key = hash('sha256', $secret_key);
// iv - encrypt method AES-256-CBC expects 16 bytes - else you will get a warning
$iv = substr(hash('sha256', $secret_iv), 0, 16);
//do the encyption given text/string/number
if( $action == 'encrypt' ) {
$output = openssl_encrypt($string, $encrypt_method, $key, 0, $iv);
$output = base64_encode($output);
}
else if( $action == 'decrypt' ){
//decrypt the given text/string/number
$output = openssl_decrypt(base64_decode($string), $encrypt_method, $key, 0, $iv);
}
return $output;
}
1 个解决方案
#1
1
First thing is to make sure your URL is encoded, so that it's not so easily readable.
首先要确保您的URL已编码,以便它不易读取。
Second suggestion i'd make is to use a honeypot.
我要做的第二个建议是使用蜜罐。
Lastly, if the data is particularly sensitive (like financial data), then i'd recommend moving away from the ID entirely, and use a hash that you can map to an ID behind the scenes.
最后,如果数据特别敏感(如财务数据),那么我建议完全远离ID,并使用可以在后台映射到ID的哈希。
#1
1
First thing is to make sure your URL is encoded, so that it's not so easily readable.
首先要确保您的URL已编码,以便它不易读取。
Second suggestion i'd make is to use a honeypot.
我要做的第二个建议是使用蜜罐。
Lastly, if the data is particularly sensitive (like financial data), then i'd recommend moving away from the ID entirely, and use a hash that you can map to an ID behind the scenes.
最后,如果数据特别敏感(如财务数据),那么我建议完全远离ID,并使用可以在后台映射到ID的哈希。