dphphvs496524 2013-09-15 03:17
浏览 43

将随机字符添加到$ _GET变量[关闭]

I was just wondering if it was possible to add random characters to the variable I am passing to the second page. I want this because if the user changes the value in the url, then the system is gonna mess up because I am inserting data to database based on the message id. I can't use session because the first session is overriding the others.

If I have something like view_inbox.php?messageid=2 then the user can change it to something view_inbox.php?message=4.

So is it possible to have some random characters like

view_inbox.php?messageid=GXLSsd2sdcds? The id is coming from database.

echo"<a href='view_inbox.php?messageid=".$row['id']."'>".$row['from_user']."</a>";

view_inbox.php

$id = $_GET['messageid'];
  • 写回答

1条回答 默认 最新

  • dongyun7571 2013-09-15 03:23
    关注

    There are a couple of approaches.

    1. You should be checking security rules on which rows/entities the user is allowed to access. Put these rules in a common procedure/function in your code, so you can check them consistently.

    2. You can also "obfuscate" or encrypt the ID, in a way the server can reverse but is not easy/obvious for the client. Operations could include multiplying by a prime number (say 23) modulo 2^32, XOR by a constant, outputting it in base-64, perhaps with a lowercase 'x' in front.

    For the second approach:

    function encodeKey ($key) {
   $multiplied = $key * 23;
   $packed = pack( "N", $multiplied);
   $base64 = base64_encode( $packed);
   return $base64;
}
function decodeKey ($text) {
   $packed = base64_decode( $text);
   // then unpack, divide etc.
   return $key;
}
    评论

报告相同问题?

悬赏问题

  • ¥15 c语言怎么用printf(“\b \b”)与getch()实现黑框里写入与删除?
  • ¥20 怎么用dlib库的算法识别小麦病虫害
  • ¥15 华为ensp模拟器中S5700交换机在配置过程中老是反复重启
  • ¥15 java写代码遇到问题,求帮助
  • ¥15 uniapp uview http 如何实现统一的请求异常信息提示?
  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?