当我使用 PHP + Mysql 时,我发现使用与数据库列名称相同的 html 输入名称很方便。这大大简化了 CRUD 操作。
但是,有一个困境。一方面,这种一对一的对应关系简化了事情,但另一方面,攻击者可能会利用这种对应关系。
如果 html 输入名称与数据库列名称不同,那么我想我应该有某种名称映射,其中 html 输入名称被翻译为数据库列名称,但我认为这会降低可理解性代码。
我想知道在这种情况下人们通常会做什么。
最佳答案
您正在描述security through obscurity :
In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism.
如果您谨慎使用真正的安全措施(例如,通过 IP 地址限制对数据库的访问、使用加密连接和良好的密码、确保使用准备好的语句来防止 SQL 注入(inject)等),那么您应该这样做攻击者是否知道您数据库的布局并不重要。
If the html input names are different from the DB column names, then, I guess, I should be having some kind of name map, where the html input names are translated into the DB column names, but I think worsens the understandability of the code.
您担心代码的可读性是正确的。这比模糊数据库架构重要得多。
关于php - HTML 输入名称与数据库列名称的对应关系 : how to protect from possible attacks,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/39180555/