更新时间:2023-02-02 22:11:38
您不应该做一个登录的页面角,因为相关的一切数据由JavaScript可以很容易被停止,调试和分析处理上。
You should not do a login on an angular page since everything data related is handled by javascript which can easily be stopped, debugged and analyzed.
更好的方法是:
头
。 PHP会话的唯一方式
是在 REST
通过角调用 HTTP
服务到你的数据库相关的PHP脚本。 REST API每读/写访问
应该检查,如果用户真的允许PHP脚本做这个数据库操作。头
返回到登录页面或一些得了你!页。header
on to the actual angular app page.php session
is in your REST
calls via angular http
service to your database related php scripts.REST api
should check, if this user is really allowed to do this db operation in the php script.header
back to the login page or some "Got you!" page.这方式attackor可能能够看到的角应用程序的JS code(如果他被以某种方式持有的实际地址),但它是完全没用的,他的,因为他永远无法看到实际的数据,只要因为他还没有开始一个有效的 PHP会话
。而数据是你想要的保护,应用程序的不是脚本。
This way the attackor may be able to see the js code of the angular app (if he gets somehow hold of the actual address) but it's completely useless to him, cause he can never see the actual data as long as he hadn't started a valid php session
. And the data is what you want to protect, not the script of the app.
在一言以蔽之:混合标准的PHP验证和角度。允许haxors到你的页面,但永远,永远向他们展示你的任何基础数据。只要有人试图乱用您的数据,踢他出去。
In a nutshell: Mix standard PHP validation AND Angular. Allow haxors to get to your page, but never, ever show them any of your underlying data. As soon as someone tries to mess with your data, kick him out.
这是几乎相同的答案我给here
This is nearly the same answer i gave here
搜索两个PHP标记关键字和网站的角度把握的想法背后。
Search for the marked keywords in both PHP and Angular sites to grasp the idea behind this.