weixin_33735077 2015-07-18 06:32 采纳率: 0%
浏览 81

Ajax-安全漏洞? -PHP

I build a system in php, i have page name x.php and in this page i create variable name $accountid and get the acocunt id from the sesstion.

now i have others varibles in php at the same page that calls to functions that in other page called functions.php, and deliver the accountid, the function return info about the account (for example the name of the user..)

is this security breach?

i mean the user can call in ajax to the function with other accountid and then he can get info about other account?

here is the code example:

<?php 
    include "Includs/Config.php";

    if(!isset($_SESSION[get("session_name")])) { 
            header("Location: index.php");
    }
    $accountid = getAccountid($_SESSION[get("session_name")]);
    $e = getECategorys($accountid);
?>


function getE($accountId){
    $query = mysql_query("SELECT * FROM `x` WHERE `accountid` = $accountId");   

    while($result = mysql_fetch_assoc($query)){
        // get the info about the account..
    }
}
  • 写回答

2条回答 默认 最新

  • 谁还没个明天 2015-07-18 07:04
    关注

    Yes you are right. User can get information by passing another accountId to that function. Solution: All you can do is check session variable and passed accountId. You can put condition, If session variable (accountId) is matched with passed accountId to that function then only retrieve data otherwise gives an error.

    Second solution is to achieve this thing with class base, setting private member variable of accountId.

    Hope this helps.

    评论

报告相同问题?

悬赏问题

  • ¥66 关于川崎机器人调速问题
  • ¥15 winFrom界面无法打开
  • ¥15 crossover21 ARM64版本安装软件问题
  • ¥15 mymetaobjecthandler没有进入
  • ¥15 mmo能不能做客户端怪物
  • ¥15 osm下载到arcgis出错
  • ¥15 Dell g15 每次打开eiq portal后3分钟内自动退出
  • ¥200 使用python编写程序,采用socket方式获取网页实时刷新的数据,能定时print()出来就行。
  • ¥15 matlab如何根据图片中的公式绘制e和v的曲线图
  • ¥15 我想用Python(Django)+Vue搭建一个用户登录界面,但是在运行npm run serve时报错了如何解决?