dream12001 2015-05-11 19:23
浏览 98

如何阻止更改URL并查看其他用户文件夹的功能

I have a directory of folders and I want to prevent the user named "x" whos files are availiable like this:reports/x/2015/04/ from changing the x to y and seeing all of those folers in y. I have the sessions working so that you need to be logged in to see any folders, but if you are logged in as x you can see the y folder by changing the URL. here is my index.php.

<?php

session_start();

if(!isset($_SESSION['username'])){
   header("Location:../../../../login/login.php");
}

require_once('../../../config.php');
require_once('../../../boilerplate.php');

global $smarty;

$smarty->display('general-report.tpl');
  • 写回答

3条回答 默认 最新

  • dongyuandou2521 2015-05-11 19:31
    关注

    There's some things that are inherently bad about doing it this way, but for simplicity's sake, a quick fix is going to be checking to see if the username matches the folder name.

    So, looking at your code, you could do something like this.

    if ($username == $dir_name) { $smarty->display('general-report.tpl'); } else { $smarty->display('error.tpl'); }

    Now, as for why you shouldn't be doing it this way...

    The logged in username shouldn't really be visible in the URL.

    You don't want people to start sharing their usernames around via URLs and then have mischievous people start brute forcing their way into your login system since they know various usernames.

    If it were me, I'd have the report URLs all be the same and just have the logged in username determine which user's reports to show.

    That way you know it's only visible to that person and even if they share the URL somewhere, their username won't be getting out into the wild.

    评论

报告相同问题?

悬赏问题

  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示
  • ¥15 求三国群英传pl国战时间的修改方法
  • ¥15 matlab代码代写,需写出详细代码,代价私
  • ¥15 ROS系统搭建请教(跨境电商用途)
  • ¥15 AIC3204的示例代码有吗,想用AIC3204测量血氧,找不到相关的代码。