Question

I m building a community website where users sign up and create profiles. Now when a user has signed up they can click a link to take them to the edit profile area of the websites.

Here they can fill in their name, age, select, birthday and fill out things such as personal stats, about me etc.

I m wondering what is the best way to protect my profiles table from malicious hackers? Most similar websites don t seem to have any kind of validation when it comes to their edit profile section of the website. So a user can fill in nothing and still submit a form with no issue.

我想知道,允许这种功能的最佳方式是什么,但同时保护我的数据库?

Should I just be setting maximum length validation rules amongst other things? I m not quite sure how to deal with this.

我已经缩小了某些菜单、文字区箱和大量文字领域,这些地方将输入用户数据。

How would you deal with this and/or what is the most appropriate way to deal with this?

幼儿园

Answer 1

The most common threats to look out for are attempts to elevate privilege through this class. For instance if you have a user table with an admin attribute used to determine if a user is an admin, even if this attribute cannot be set in the form you describe a user can craft a post to the action of the form on the page with &admin=true or &admin=1 depending on the corresponding column data type.

防止这种情况的保护措施在你的模式中明确了通过大规模派任而形成的属性。

页: 1

attr_accessor :x, :y, :admin
attr_accessible :x, :y

这将防止通过<代码>更新行政属性。电话通常用于洗衣行动。

而要看的是自动签字。为此,你可以做几件事。最常见的是实行上限。如果没有这个人,就可以在你桌上写出1 000 000 000名用户的文字,就很难确定哪些是真实的,哪些是假的。您还可以考虑IP的伐木签字尝试,并限制申请数小时。

至于您的编辑网页保护,保护这一信息的最常见方式是使用事先的过滤器,确保用户在允许提供网页之前掌握一些会议信息。

class UsersController < ApplicationController

  before_filter :protect, :only => [:edit]

  private

  def protect
    unless current_user
      redirect_to login_path
    end
  end

end

Just some examples. I m sure there are many more ways to protect yourself but this will at least give you an idea of the places that need attention to prevent the most basic attempts at wrecking your day. The problem with this topic is that the techniques used to break/hijack your site are ever-evolving. Some people think they are covered and get hit anyway. Backup your data frequently via script, write other scripts that check the integrity of your database. If you see a sudden leap in user instances of the table you ll know something is up, review the logs and restore your data.

If your site is popular, it will get attacked, period.

关于封顶,我听到有人在屏幕上展示的“纽约电话”可以用文字加以拆除,以便安全,因为那里似乎有天赋的人可以像Ma Carena那样在你的安全周围跳舞。

尽可能积极主动,并周密考虑采取主动措施。

Answer 2

很难列出你们在这里需要做的一切,以保护生态不受某种恶意使用者的影响。

或许应该读到《铁路安全指南》:

rel=“nofollow”>http://guides.rubyonrails.org/security.html

友情链接