对表单这一块不太熟,有以下几个疑惑?
1.诸如在登录验证用户名和密码的时候,二者都是同样的方式提交到post到服务器吗?
2.get方式会把参数暴露到链接尾部(实际上会通过把key键值加密然后后端再解密校验)?
3.现在的表单常规处理方式是什么样的?
4.密码校验的时候,诸如在比对密码要求密码中不能是3位同样的连续数字?这个密码会存在本地?还是服务器端来校验
大家讲道理2017-04-18 10:58:47
Isn’t the login username verification usually posted to the server together?
The get method will expose the parameters at the end of the link, but the browser itself does not have any encryption. If it is encrypted, you need to adjust it yourself.
For some form values, whether they are valid and non-empty, etc., there should be a prompt before submission to improve the user experience.
Everything needs to be done. The front-end is for user experience (knowing the problem before making a request), and the back-end is for security.
For enterprise-level services, use https instead of plain text.
ringa_lee2017-04-18 10:58:47
Assume that the username must be more than 3 digits; the password must be 6~32 digits; the verification code must be 4 digits;
1. When clicking to log in, it is detected that the username length is greater than 3, the password length is 6~32, and the verification code length is 4; by going to Go down, the alert is not passed;
2. Organize the parameters; post to the server, name pwd code
3, the server receives the parameters
4. Verify whether the length is equal to 4, not equal to 4, the return verification code length is abnormal
5. From the session Get the code, is it consistent with the parameter code, inconsistent return error
6. Check the user name length, password length, incorrect return error
7. If you need to encrypt pwd
8. Select name=name, pwd=pwd from the database , if yes, return user, if not return 0
PHP中文网2017-04-18 10:58:47
GET directly displays the data in the URL;
POST is "hidden and stolen", the URL cannot be seen, but it can be seen using the browser developer tools;
No matter which of the above, "hackers" can capture packets and You can get the plaintext data during data transmission; you can even tamper with/hijack the content and then pass it to the server, or you can directly pretend to be the server and return you false information.
If you use HTTPS, the data will be encrypted first during transmission, which is relatively safe.
As for parameter verification, it must be done on both the front and back ends, because the JS verification on the front end can easily be bypassed.