dongtun3328 2016-09-22 01:19
浏览 27
已采纳

防止更改输入值[重复]

This question already has an answer here:

I have a system to upload and change profile picture, also have a link that restores to the default photo, I see that changing the values of ID from the console browser (inspect element in chrome) I can make the image that I will upload assigned to another user which is very bad, like I can avoid this?

index.php

<form name="form" method="post" action="dashboard_reset_image.php">
 <input type="hidden" name="id" value="'.$id.'">
 <input type="submit" class="btn btn-danger btn-img-user" value="Reset"/>
</form>

dashboard_reset_image.php

 $ID = $_POST['id'];
 $db = DB::getInstance(); 
 $fields=array('img'=>'no-image.jpg');
 $db->update('profile',$ID,$fields);
 Redirect::to("index.php?id=$ID");

What makes this last code is to update the "img" column in the "profile" table putting a default image (not erase the images of the server and save them as reference).

As I keep changing the ID from the HTML generated insecurity?

</div>
  • 写回答

1条回答 默认 最新

  • duanjiu3486 2016-09-22 02:37
    关注

    Change

     $fields=array('img'=>'no-image.jpg');

    to

     $fields=array('img'=>$ID.'.jpg');

    To prevent the image update use the id in the filename.

    To prevent someone from changing the id in the browser you will need to use session storage to save the id on the server, then test to ensure the data submitted has the same id.

    Something like this will save the posted id:

    session_start();
if (!isset($_SESSION['id']) && isset($_POST['id'])) {
    $_SESSION['id'] = $_POST['id'];
}

    Populate the id in the HTML like so:

    <input type="hidden" name="id" value="<?= $_SESSION['id'] ?>">

    When you receive the data from the client, to test that the id is the same, you would use:

    if (isset($_SESSION['id'],$_POST['id'])) {
    if ($_SESSION['id'] !== $_POST['id']) {
        die('Ids do not match');
    } else {
        echo 'Update the image here';
    }
}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 无线电能传输系统MATLAB仿真问题
  • ¥50 如何用脚本实现输入法的热键设置
  • ¥20 我想使用一些网络协议或者部分协议也行,主要想实现类似于traceroute的一定步长内的路由拓扑功能
  • ¥30 深度学习,前后端连接
  • ¥15 孟德尔随机化结果不一致
  • ¥15 apm2.8飞控罗盘bad health,加速度计校准失败
  • ¥15 求解O-S方程的特征值问题给出边界层布拉休斯平行流的中性曲线
  • ¥15 谁有desed数据集呀
  • ¥20 手写数字识别运行c仿真时,程序报错错误代码sim211-100
  • ¥15 关于#hadoop#的问题