weixin_33688840 2017-05-26 08:48 采纳率: 0%
浏览 8

AJAX验证正确的用户

I'm using AJAX to delete posts from a forum.

The code does it so that the delete icon only shows if the session variable "user" equals the one in the database. This works perfectly so no need to include the code for that here i believe.

However, in theory, couldn't anyone just read the javascript code, go to the file where everything is processed and delete whatever they want?

My idea to fix this is to send over an additional variable with the username and check it once more on the processing page.

Ajax code:

    $('#deletePost').click(function() {
        var xhttp = new XMLHttpRequest();
        var getId = <?php echo $_GET['id']?>

        xhttp.onreadystatechange = function() {
            if (this.readyState == 4 && this.status == 200) {
                var replace = confirm("Your post was successfully deleted. Click OK to return to the homepage.");
                if (replace == true) {
                    location.replace('index');
                } else {
                    location.reload();
                }
            }
        }
        xhttp.open('GET', 'deletepost.php?id=' + getId, true);
        xhttp.send();

        return false;
    });

To explain my concern more deeply: Anyone can see the file where the information is processed, so they could just go to

http://www.website.com/deletepost.php

Then just apply any id they want so the url becomes something like

http://www.website.com/deletepost.php?id=22

And because there is no validation on the second page this would work.

<?php

if (!isset($_GET['id'])) {
    echo 'e';
} else {
    $id = intval($GET['id']);
    $sql = 'DELETE FROM posts WHERE post_id=' . mysqli_real_escape_string($conn, $id);
    $result = mysqli_query($conn, $sql);

    if (!$result) {
        echo 'Failed to delete your post. Please try again or contact administration.';
    }
}

?>

So if anyone has any idea on how to validate this it would be very much appreciated. If anything is unclear please comment and I'll fill in.

  • 写回答

0条回答

      报告相同问题?

      相关推荐 更多相似问题

      悬赏问题

      • ¥15 Android URL如何转成视频/音频,可行吗?
      • ¥20 SQL数据查询,子查询
      • ¥15 c++字符串分割问题
      • ¥15 关于#sql#的问题:没有用命令关闭cdc,手动把系统表开启的cdc右键删除了
      • ¥15 vue+uniapp
      • ¥15 android freedom
      • ¥15 使用自定义的类型代替内置类型可行吗
      • ¥15 关于STM32的SPI和ENDAT接口编码器通信的问题
      • ¥15 关于#pdfbox#生成的PDF文件正常,转图片中文乱码的问题,如何解决?
      • ¥15 ADS中有关DAC控件的使用问题