dongsong73032
2015-08-27 18:15 阅读 83
已采纳

PHP - 防止F12提交黑客攻击

Im developing a PHP webapp which have user profiles to create & modify & delete (you know)

When I modify I profile I send the $userID to the PHP page and then I load all the user data. That $userID is store into a hidden input because I need it to launch the UPDATE query after submit.

I have noticed that user can press F12 and change that userID to another one and could modify (or delete) other user profile.

Sorry if is a stupid question, I suppose that this is a common problem in forms submitting, but I don't know how you face it (what is the most secure strategy in this case).

Please help :-)

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

1条回答 默认 最新

  • 已采纳
    douxin2002 douxin2002 2015-08-27 18:40

    You should not expose a sensitive ID/data. there is no "security" practice doing that.

    you should use a session variable, as @cmrrissey suggestion

    @session_start(); #at before any outputscript $_SESSION['userID'] = $senstiveId;

    Also, You should not rely on the frontend validations. you must re-check/validate on your server, what is your end user sending to you.

    点赞 评论 复制链接分享