douye4051 2016-04-13 01:34
浏览 35
已采纳

通过PHP中的AJAX获取或传递敏感数据

I want to update a row of data in a database using Ajax and PHP; however, I'm struggling with the following issue: the field in the database to update (henceforth the id) is dependent on the page the ajax request is sent from.

I need to get this id to my PHP script that Ajax calls, however:

  1. I don't want to set the id in a data attribute or hidden input on the page because these can both be manipulated by a malicious user.

  2. Similarly, identifying the id using the referring URL is also prone to spoofing as $_SERVER isn't secure.

  3. I can't set the id in a SESSION variable (or COOKIES) because the user could have multiple pages open and the SESSION would only hold the last page id that was opened.

The only solution I can think is to create a map of random tokens to id's in a table in the db and pass that in a SESSION variable (as per #3 above), then check the table for the token and grab the respective id that way. Seems somewhat convoluted though.

Are there any other options or thoughts? Thanks.

  • 写回答

2条回答 默认 最新

  • dongmeijian1716 2016-04-13 01:41
    关注

    This is a problem related to OWASP Top10 A7 (Missing Function Level Access Control).

    There might be no issue with putting your ID on the page so the page can send it back - you just need to validate that the actual save request is permitted for the user.

    Just think, regardless of whether you put the ID on the page or not, the page does know the base url for performing the action, so they could go ahead and guess IDs anyway.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?
  • ¥15 加热介质是液体,换热器壳侧导热系数和总的导热系数怎么算
  • ¥15 想问一下树莓派接上显示屏后出现如图所示画面,是什么问题导致的
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
  • ¥500 火焰左右视图、视差(基于双目相机)
  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染