douti19680318 2013-07-23 03:44 采纳率: 0%
浏览 11
已采纳

检查php中的URL篡改

So I'm using cookies to identify a user and prevent someone who isn't logged in access. This is the check code for the page 

        if (!isset($_COOKIE['username']) && !isset($_COOKIE['password']))
        { 
        header("location:clientlogin.php");
        }

However, this is only half of the check. Here is my problem. My url is formated like this

site.com/?Client=$Client&Product=$Product

Now before I do anything, I wanna make sure that the cookie username matches the info in the link. I have to grab info from the DB first I think, because $Client is last name while username is E-mail column. I've tried comparison of cookies, I just fail at it.

Second, I want to prevent url tampering, as current setup allows anyone to change $Client and $Product and get information that doesn't belong to them. However, whenever I insert a check like this:

    if($Client != $LastName)
    {
    header("location:clientlogin.php");
    }

Where I already have $Client (page starts with GET) it creates a redirect loop and I can't login. Each time I log in and get redirected to that page, I get back to clienlogin.php I'm guessing if I can compare the cookie username (it lasts a year by the way) to the actual data, I might be able to solve both problems?

I hope I provided enough info, and would be cool if you went easy on me, this is a first project I'm learning on.

Thank you!

  • 写回答

2条回答 默认 最新

  • download1002 2013-07-23 04:32
    关注

    @DaveChen: there is not a single framework I have ever come across (in any scripting language), nor a single well-known website I have ever logged in to, that stores the user's password in an unencrypted cookie. This is by far the most dangerous thing you can do to your user. Even with SSL and httponly option set on the cookie (to mitigate against JavaScript XSS attacks), it's just a very, very bad idea.

    The closest "proper" method to accomplish what you're trying to do would be to encrypt the cookie contents. The best method, the one that almost every sane website uses, is to not store any session data client-side at all. The client's cookie contains nothing more than a randomly generated (difficult to brute-force) session id - all the data itself is stored on the server, whether in a database, session file, or caching server.

    You would be best advised to use php's built-in sessions. Start by reading the entire reference for php sessions. By default, php stores sessions in temporary files on the server - the client only gets a session id.

    To provide a partial answer to your question about securing a single user's data from other users' eyes, you would not put 'Client' in the query string (url) at all. Instead, you do a lookup in the database for the 'Product' from the url, and the 'Client' value that you retrieve from the session. So your url would become site.com/?Product=$Product and you use the 'Client' value from the session, and run a database query that checks for both values at the same time (to make sure the product belongs to the client who is logged in) - something like SELECT * FROM products where client_id = ? AND product_id = ?.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 c语言怎么用printf(“\b \b”)与getch()实现黑框里写入与删除?
  • ¥20 怎么用dlib库的算法识别小麦病虫害
  • ¥15 华为ensp模拟器中S5700交换机在配置过程中老是反复重启
  • ¥15 java写代码遇到问题,求帮助
  • ¥15 uniapp uview http 如何实现统一的请求异常信息提示?
  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?