douyuan4357 2014-12-14 07:59
浏览 17

URL中的变量

Good morning,

I am building a site for a client and I have come across a huge issue. I am allowing a public search where the user can select the search field from a dropdown and then input the search value in an input field. The SQL query runs and sends retunrs results. The unregistered user can then select to view the details for that particular user by clicking on view. Now obviously clicking on the view (link) they are redirected to another page using php.

> <td><a href='http://localhost/mygiftsite/pub_list_view.php?user=<?php echo $user_id;?>'>View</a></td>

This produces the following URL: http://localhost/mygiftsite/pub_list_view.php?user=1. This page then displays all the lists that are made public by that particular registered member. The unregistered user can then view those lists by clicking on any of the fields and that redirects to http://localhost/mygiftsite/pub_item_view.php?list=9.

My problem is that a user can just change the value of the list variable/index in the url to view lists for other users and lists with a privacy setting of private which should not be allowed. Just to clarify, the list has a privacy field not the user. The registered user decides to either keep a list private or to make a list public. Public lists should be accessible via a member search and private list should not be able to display. I stopped users from accessing pages without being logged in using the following code:

<?php
    session_start();
    if(!isset($_SESSION['userid'])){
        header("location: http://localhost/mygiftsite/login.php");
    }
?>

But I want to allow unregistered users to search and view public lists. Please can you help me resolve this issue.

  1. Is it possible to "hide" the variable so the value cannot be changed?
  2. How do I stop users from simply changing the value of the list variable by simply clicking in the URL
  3. If they change the value by simply changing the URL how do I protect my user's list should the privacy be set to private?
  4. I do not want to go the .htaccess method as you can still simply change the parameter value.

My main concern is that a parameter can simply be changed in the address bar. How do I stop this from happening?

  • 写回答

1条回答 默认 最新

  • drwn65609 2014-12-14 08:54
    关注

    You need to check in every private page that the user loading it is the logged user. Example:

    //keep logged user. Store in session during sign-in
$loggedUserId = $_SESSION['loggedUserId'];

//from URL GET parameter
$otherUserId = $_GET['userid'];
$listId = $_GET['list'];

if($loggedUserId==$otherUserId)
      //do something, allow access
else {
      //retrieve the list record based on $listId, get $isPrivate field

      //do something else, don't allow access
      if($isPrivate == true )
           header("location: http://localhost/mygiftsite/login.php");
}
    评论

报告相同问题?

悬赏问题

  • ¥15 keil里为什么main.c定义的函数在it.c调用不了
  • ¥50 切换TabTip键盘的输入法
  • ¥15 可否在不同线程中调用封装数据库操作的类
  • ¥15 微带串馈天线阵列每个阵元宽度计算
  • ¥15 keil的map文件中Image component sizes各项意思
  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据
  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 Centos / PETGEM