douye4051 2016-04-13 01:34
浏览 35
已采纳

通过PHP中的AJAX获取或传递敏感数据

I want to update a row of data in a database using Ajax and PHP; however, I'm struggling with the following issue: the field in the database to update (henceforth the id) is dependent on the page the ajax request is sent from.

I need to get this id to my PHP script that Ajax calls, however:

  1. I don't want to set the id in a data attribute or hidden input on the page because these can both be manipulated by a malicious user.

  2. Similarly, identifying the id using the referring URL is also prone to spoofing as $_SERVER isn't secure.

  3. I can't set the id in a SESSION variable (or COOKIES) because the user could have multiple pages open and the SESSION would only hold the last page id that was opened.

The only solution I can think is to create a map of random tokens to id's in a table in the db and pass that in a SESSION variable (as per #3 above), then check the table for the token and grab the respective id that way. Seems somewhat convoluted though.

Are there any other options or thoughts? Thanks.

  • 写回答

2条回答 默认 最新

  • dongmeijian1716 2016-04-13 01:41
    关注

    This is a problem related to OWASP Top10 A7 (Missing Function Level Access Control).

    There might be no issue with putting your ID on the page so the page can send it back - you just need to validate that the actual save request is permitted for the user.

    Just think, regardless of whether you put the ID on the page or not, the page does know the base url for performing the action, so they could go ahead and guess IDs anyway.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 PADS Logic 原理图
  • ¥15 PADS Logic 图标
  • ¥15 电脑和power bi环境都是英文如何将日期层次结构转换成英文
  • ¥20 气象站点数据求取中~
  • ¥15 如何获取APP内弹出的网址链接
  • ¥15 wifi 图标不见了 不知道怎么办 上不了网 变成小地球了
  • ¥50 STM32单片机传感器读取错误
  • ¥15 (关键词-阻抗匹配,HFSS,RFID标签天线)
  • ¥15 机器人轨迹规划相关问题
  • ¥15 word样式右侧翻页键消失