Suppose that I have a link with an ajax request which use to like a post. It has a data-id attribute which is the post's id like this.
<a href="#" data-id="<?php echo $post->id; ?>">Like</a>
In server side, I use this id to update the like number of this post. I wonder if an user could use the developer tool to change this id, so the data will break. But I don't know the name of this security threat and how to prevent it. Could anyone help me out !? Thank in advance.
分享 Just make sure you are not sending along the user_id for example through js and ajax since that could easily be manipulated to make other users like something they didn't click on.
If you use something like:
if(isset($_POST['like_id'])
{
$like_id = (int) $_POST['like_id'];
// some more checks (ie. does this id exist?), and then:
$user_id = $_SESSION['user_id'];
echo $user_id . " likes post " . $like_id;
}
than all a "malicious" user could achieve, would be to make his account "like" something without going through the actual link.
On the opposite if you use:
$user_id = $_POST['user['user_id']; // don't use this!
than any user could send any user's id and make them "like" something they didn't request which you wouldn't want to allow.
In General
Do not rely on ANY data coming from a POST or GET since that could be easily changed so make sure that id is an integer, make sure that id exists and then after making all necessary checks update your database accordingly.
分享
