dpg98445 2016-09-28 18:14
浏览 46
已采纳

检查表数据是否已在firebug中操作的最简单方法是什么?

I have a table, that obviously has ids for each row. When a user clicks on a table row he is taken to a different page where it shows the full data(The different page is really the same page which is unhid after the load event).

I am picking up the click event with jquery and then sending the id to jquery load and it loads in the data.

The problem is this. If the person using the page has firebug installed he can manipulate the id on the table and maybe access something he shouldn't be accessing.

So I have had to write a function that checks the id coming in can be accessed by that user.

function checkID($searchColumn,$userColumn,$tablename,$table_id,$user_id)
{
    Global $db;
    $query = "SELECT `{$userColumn}` FROM $tablename WHERE `{$searchColumn}`=?";
    //echo $query;
    $stmt = $db->prepare($query);
    $stmt->bind_param('i',$table_id);
    $stmt->execute();
    $stmt->bind_result($myuser_id);

    if($stmt->fetch())
    {
        if($myuser_id==$user_id):
            return true;
        else:
            return false;
        endif;
    }   
}

Basically the above function gives me a true or false depending on whether that id can be accessed by the user.

Is there a better way to check if data has been manipulated in firebug on server side?

Basically I want to make sure the id being sent to the server is the same id that is in the table, and not been manipulated by firebug. Even though my function works I keep thinking perhaps there is a simpler solution. What do the professionals do?

  • 写回答

1条回答 默认 最新

  • doucuyu2259 2016-09-28 21:03
    关注

    Data coming from the client always needs to be validated and sanitized on the server side.

    I.e. if $searchColumn, $userColumn, $tablename, $table_id and $user_id come in as request variables, you need to check each of them for validity. Especially $userColumn, $tablename and $searchColumn need to be checked carefully for SQL injections, because they are added before you call prepare().
    If you don't require the flexibility, you should enter the table and column names into the string.

    You may even keep the user ID on the server side (as session variable) and only set it once on login, so you can get rid of the check completely. The tables referencing the user data still need to have a column with the user ID, though.

    To ensure that a user can only access the data (s)he's supposed to see, you need to include the user ID in the query.

    Example:

    Imagine you have orders and order items in an 1 to m relation. You show the user the list of orders (s)he has made. When the user now chooses an order to display its items you can include the user ID in the query to ensure the user cannot access orders of other users.

    Then the SELECT statement may look like this:

    SELECT oi.name,
       oi.description
       oi.price
FROM order_item oi
INNER JOIN order o ON o.id = oi.order_id
WHERE o.id = ?
  AND o.userID = ?

    When the user then provides an ID of another user's order, there won't be any items returned.

    This could also be done in two steps by first making a query against the order table to check whether the order is assigned to the user and if so, making a query against the order items.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 下图接收小电路,谁知道原理
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度
  • ¥30 关于#r语言#的问题:如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测
  • ¥15 ETLCloud 处理json多层级问题
  • ¥15 matlab中使用gurobi时报错
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭