drne47241 2012-08-29 21:19
浏览 36
已采纳

$ _SESSION的临时变量?

User Story:

I am an administrator of the web application and I need to delete another user of the web application. I select the user from a list of users and then can delete the user from a subsequent page.

Current (wrong) Solution:

Right now I'm storing the user-to-be-deleted's ID/primary key in a hidden form element (horrible, horrible, horrible, I know - someone could delete any user with an element inspector...). What's the best practice for something like this? Do I save the user-to-be-deleted's ID/primary key as a $_SESSION variable? A cookie? A hashed URL and grab it with $_GET?

EDIT

There are different groups of users, managed by different administrators. Admin of Group A has no knowledge of Group B (and it's users), etc. All the users are in a single table and all users can be in any number of groups. I need the user's ID protected and out of the DOM so that someone couldn't alter it and delete a user that they don't have jurisdiction over.

  • 写回答

3条回答 默认 最新

  • duanji5746 2012-08-29 21:27
    关注

    There is no need to use $_SESSION for such task: sessions are for maintaining state between pages, and there is no situation like this right here.

    The best practice when dealing with resources [such as users] is to setup a RESTful environment.

    While you haven't setup such system yet, you can still take advantage of HTTP requests with $_GET and $_POST php arrays:

    <form action="delete.php" method ="post">
    <select id="user" name="user">
        <option value="1">Joh Doe</option>
        <option value="2">Jane Doe</option>
        <option value="3">Dun No</option>
    </select>
    <input type="submit" value="Submit"/>
</form>

    When you submit this form, you make a POST request to delete.php, and the $_POST array will contain a user key with selected value - then you can delete user by such key, using PDO prepared statements.

    Against denying deleting permissions, you have to setup your scripts in order to block requests if logged user hasn't got enough privileges - that's another layer you have to setup properly, so I advice you to use a framework [like Symfony or YII] so you can take advantage of their security components.

    The hidden field idea is behind CSRF protection, so it is no pointless at all - and yes it relies on sessions.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 DS18B20内部ADC模数转换器
  • ¥15 做个有关计算的小程序
  • ¥15 MPI读取tif文件无法正常给各进程分配路径
  • ¥15 如何用MATLAB实现以下三个公式(有相互嵌套)
  • ¥30 关于#算法#的问题:运用EViews第九版本进行一系列计量经济学的时间数列数据回归分析预测问题 求各位帮我解答一下
  • ¥15 setInterval 页面闪烁,怎么解决
  • ¥15 如何让企业微信机器人实现消息汇总整合
  • ¥50 关于#ui#的问题:做yolov8的ui界面出现的问题
  • ¥15 如何用Python爬取各高校教师公开的教育和工作经历
  • ¥15 TLE9879QXA40 电机驱动