在JSF中,防止表单篡改的最佳方法是什么?(In JSF, What is the best way to prevent Form tampering?)
我们正在使用JSF 1.x打开服务器端状态保存。 我们遇到一个问题,即作为web-bot实施的恶意用户可以提交页面,而不提交预期在表单中的所有字段。 这导致一些未被调用的验证器应被调用,等等。
我们希望阻止用户在表单中添加/删除字段并提交表单(如果他们想要提交表单,那么所有预期字段都在那里)。 在过去,我使用页面上字段ID的MD5哈希加上在页面上保存为隐藏字段的未知短语和会话过滤器,根据提交的字段ID生成预期哈希并将其与隐藏字段中的值。
有没有什么我可以用JSF开箱即用,以防止用户操纵表单? 或者使用第三方库?
We are using JSF 1.x with server-side state saving turned on. We have an issue where a malicious user, implemented as a web-bot, can submit a page w/o submitting all fields that are expected to be in the form. This results in some validators not being called that should be called, etc.
We would like to prevent users from being able to add/remove fields from a form and submitting the form (if they want to submit a form all expected fields most be there). In the past I have done this using an MD5 hash of the field ids on the page plus an unknown phrase saved as a hidden field on the page and a session filter that generates an expected hash given the field ids that were submitted and compares it against the value in the hidden field.
Is there anything I can do out of the box with JSF to prevent the user from manipulating a form? Or with a third-party library?
原文:https://stackoverflow.com/questions/2178237
更新时间:2023-08-09 11:08
最满意答案
它由框架触发每个请求。
It is triggered for each request by the framework.
相关问答
更多-
即使存在任何差异,这种差异也会很小,根本不重要。 如果您对数据库进行了一次查询,那么与循环迭代结果相比,这需要花费很长时间,因此对于vs foreach vs vs vs do的永恒争论不会改变一件事 - 至少如果你有合理数量的数据。 所以,使用: 随你喜欢 适合您的编程标准 什么是最适合您的代码/应用程序 在考虑这种微优化之前,还有很多其他的东西你可以/应该优化。 如果你真的想要一些数字(即使它只是为了好玩),你可以制定一些基准并在实践中看到结果。 Even if there is any kind of ...
-
PHP,而最后一个循环(PHP while last loop)[2022-04-07]
你可以做的最好的事情就是把最后的调用放在while循环之外,并改变你的while循环逻辑,以便它尽早退出。 代替: while ($post = getPost()) { printPost($post); } 做点什么 $last = getPost(); $post = getPost(); while ($post != null) { printPost($last); $last = $post; $post = getPost(); } printSpecial ... -
对于php和oracle中的循环(For loop in php and oracle)[2023-08-11]
空复选框未发布,因此$medicine_ID结果数据如下所示: Array ( [0] => 2 [1] => 3 ) 并且$quantity看起来像: Array ( [0] => [1] => 5 [2] => 4 ) 由于你遍历$medicine_ID你正在以$quantity访问错误的密钥。 最简单的解决方法是在字段名称中指定索引。 由于看起来您已经在循环中输出了表格,因此您可以执行以下操作:在变量php中循环(Loop in variable php)[2022-08-04]
您可以使用implode函数生成逗号分隔列表,如下所示: $createquery= "Select * from provaEngine where keyword IN (" . implode( ', ', $lol) . ")"; You can use implode function to generate a comma separated list as follows: $createquery= "Select * from provaEngine where keyword IN ...Php循环需要帮助吗?(Php loop need help?)[2023-01-11]
您可以使用id_userfor字段进行查询排序然后循环所有记录,并且每次遇到id_userfor的新值时id_userfor打印它。 像这样的东西: $SQL = 'select * from ... order by `id_userfor`'; $Result = ...; $PrevUserFor = ''; while($Row = ...) { const $UserFor = $Row['id_userfor']; if ($PrevUserFor != $Use ...在php中循环(While loop in php)[2024-03-03]
请点击此处: http : //ca3.php.net/manual/en/function.mysql-num-rows.php if(mysql_num_rows($find) > 0) { while($row = mysql_fetch_array($find)) { ... } } else { echo "No Data Found"; } 顺便说一句,不推荐使用mysql_,至少使用mysqli或PDO。 Check here : http://ca3.php.net/man ...而循环 - PHP(While Loop - PHP)[2022-07-18]
以这种方式写循环是否有什么问题? 没有 他们会继续无限期地运行并吸收内存/不需要的处理能力吗? 不,它只要条件为真就运行,在你的情况下,当没有更多的行时,循环将停止 在我完成它们之后我应该以某种方式关闭它们吗? 不(但也许我不明白你在这里问的是什么) is there anything wrong with writing while loops in this way? no Will they continue to run indefinitely and suck memory/unneeded p ...php中的每个while循环(php for each in while loop)[2022-12-15]
将数字提取更改为关联提取,然后添加foreach循环以处理结果。 $r = mysql_query("SELECT ac6, ac5, ac4, ac3, ac2, ac1, ac0 FROM advertisements WHERE token = '" . $_GET['token'] . "'"); while ($adData = mysql_fetch_assoc($r)) { foreach ($adData as $key => $value) { $n ...每个循环的PHP(PHP for each loop)[2024-04-25]
$result将无法满足您的期望。 您需要指定要回显的确切字段。 在这种情况下, $row['client_id']可以工作。 $result will not deliver what you expect here. You need to specify the exact field you intend to echo out. In this case $row['client_id'] would work.在php中循环(do while loop in php)[2021-12-12]
它由框架触发每个请求。 It is triggered for each request by the framework.相关文章
更多- JSF快速入门示例
- jsf +seam
- seam+jsf问题
- 关于一个页面多个form问题????????
- JSF的功能特性
- JSF生命周期
- JSF托管Bean
- form中如何接收传入的值
- HTML5 智能form表单新属性
- JSF托管bean(Managed Bean)
最新问答
更多- 您如何使用git diff文件,并将其应用于同一存储库的副本的本地分支?(How do you take a git diff file, and apply it to a local branch that is a copy of the same repository?)
- 将长浮点值剪切为2个小数点并复制到字符数组(Cut Long Float Value to 2 decimal points and copy to Character Array)
- OctoberCMS侧边栏不呈现(OctoberCMS Sidebar not rendering)
- 页面加载后对象是否有资格进行垃圾回收?(Are objects eligible for garbage collection after the page loads?)
- codeigniter中的语言不能按预期工作(language in codeigniter doesn' t work as expected)
- 在计算机拍照在哪里进入
- 使用cin.get()从c ++中的输入流中丢弃不需要的字符(Using cin.get() to discard unwanted characters from the input stream in c++)
- No for循环将在for循环中运行。(No for loop will run inside for loop. Testing for primes)
- 单页应用程序:页面重新加载(Single Page Application: page reload)
- 在循环中选择具有相似模式的列名称(Selecting Column Name With Similar Pattern in a Loop)
- System.StackOverflow错误(System.StackOverflow error)
- KnockoutJS未在嵌套模板上应用beforeRemove和afterAdd(KnockoutJS not applying beforeRemove and afterAdd on nested templates)
- 散列包括方法和/或嵌套属性(Hash include methods and/or nested attributes)
- android - 如何避免使用Samsung RFS文件系统延迟/冻结?(android - how to avoid lag/freezes with Samsung RFS filesystem?)
- TensorFlow:基于索引列表创建新张量(TensorFlow: Create a new tensor based on list of indices)
- 企业安全培训的各项内容
- 错误:RPC失败;(error: RPC failed; curl transfer closed with outstanding read data remaining)
- C#类名中允许哪些字符?(What characters are allowed in C# class name?)
- NumPy:将int64值存储在np.array中并使用dtype float64并将其转换回整数是否安全?(NumPy: Is it safe to store an int64 value in an np.array with dtype float64 and later convert it back to integer?)
- 注销后如何隐藏导航portlet?(How to hide navigation portlet after logout?)
- 将多个行和可变行移动到列(moving multiple and variable rows to columns)
- 提交表单时忽略基础href,而不使用Javascript(ignore base href when submitting form, without using Javascript)
- 对setOnInfoWindowClickListener的意图(Intent on setOnInfoWindowClickListener)
- Angular $资源不会改变方法(Angular $resource doesn't change method)
- 在Angular 5中不是一个函数(is not a function in Angular 5)
- 如何配置Composite C1以将.m和桌面作为同一站点提供服务(How to configure Composite C1 to serve .m and desktop as the same site)
- 不适用:悬停在悬停时:在元素之前[复制](Don't apply :hover when hovering on :before element [duplicate])
- 常见的python rpc和cli接口(Common python rpc and cli interface)
- Mysql DB单个字段匹配多个其他字段(Mysql DB single field matching to multiple other fields)
- 产品页面上的Magento Up出售对齐问题(Magento Up sell alignment issue on the products page)