通过 Get 传递 MySQL 唯一 ID 时的 PHP 安全性

发布于 2024-07-30 19:00:11 字数 454 浏览 6 评论 0原文

假设我有一个网站,主页上有各种书籍的链接。

<a href='books.php?id=1'>Book 1</a>
<a href='books.php?id=2'>Book 2</a>
<a href='books.php?id=4'>Book 3</a>

书籍 1-3 在我的系统中,但是 id=3 是另一个目录的一部分,我没有通过网站的这一部分显示或授权。 因此,如果用户单击 Book 3,然后将 id=4 更改为 id=3,他们可以简单地提取记录(假设我没有适当的会话检查)。

有没有一种好方法可以掩盖您在尝试提取特定记录时传递的 get id? 似乎只传递 id 就可以很容易地请求页面,如果没有适当的查询和会话检查,您将能够得到另一个结果。

有一个更好的方法吗?

干杯

Lets say I have a website with links to various books on my main page.

<a href='books.php?id=1'>Book 1</a>
<a href='books.php?id=2'>Book 2</a>
<a href='books.php?id=4'>Book 3</a>

Books 1-3 are in my system, however id=3 is apart of another catelog that I'm not showing or authorizing through this section of the site. So if a user clicked on Book 3, then changed the id=4 to id=3, they could simply pull up the record (assuming I don't have proper session checking).

Is there a good way to obscure the get id that you're passing when trying to pull a specific record? it seems by passing just the id would be easy to request pages that, without proper querying and session checking, you would be able to get another result.

Is there a better way to do this?

Cheers

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

七月上 2024-08-06 19:00:12

您可能可以使用 md5 或其他方式对您的 id 或其他内容进行哈希处理,以使其更难以手动输入,但这确实不是一个好主意。

您应该做的是在 books.php 脚本中实现服务器端安全性,以防止用户未经授权的访问。 这是保证您网站安全的唯一方法。

You probably could hash your id or something using md5 or whatever to make it harder to manually enter, but that's really not a good idea.

What you should do is to implement server side security in your books.php script that will prevent users from unauthorized access. That's the only thing that will keep your site secure.

骄傲 2024-08-06 19:00:12

只需检查id是否允许显示即可。
使用 get 的一个好习惯是检查您可能拥有的任何参数。

Just check id if it is allowable to display or not.
With get's a good practice is when you check whatever parameters you may have.

无悔心 2024-08-06 19:00:12

只是大声思考:

  1. 您可以在您的 book mysql 表中创建一个列,表示“可见”...或在您的用户表中创建一个用户级别。
  2. 执行一个 php 函数或 if 语句:

    if (user is not in user_level) // 不允许用户查看所有内容 
      { 
          重定向到上一页; 
      } 
      else if (user is in user_level) // 允许用户查看所有内容 
      {         
          显示所有项目; 
      } 
      

just thinking out loud:

  1. you can make a column in your book mysql table saying "visible" ... or userlevel in your users tables.
  2. do a php function or if statement that:

    if (user is not in user_level) // user is not allowed to see everything
    {
        redirect to previous page;
    }
    else if (user is in user_level) // user is allowed to see everything
    {        
        display all items;
    }
    
萧瑟寒风 2024-08-06 19:00:12

您肯定需要检查用户是否有权查看该页面。
但是,如果您将不同目录的 id 分开怎么办? URL 可能类似于 books.php?cat=foo&id=1。 这不一定会让事情变得更加安全,但它会防止人们意外地找到错误的页面并更好地组织事情。

You definitely need to check whether the user is allowed to view the page.
But, what if you separated the ids for the different catalogs? URL's could look like books.php?cat=foo&id=1. That wouldn't necessarily make things any more secure, but it would prevent people from accidentally finding the wrong pages and organize things a little better.

痴梦一场 2024-08-06 19:00:11

您需要始终、始终检查用户是否能够访问该页面。 这是验证您没有显示错误数据的唯一方法,因为有人总是可以修改他们要访问的链接,即使您以某种方式隐藏它。

无法逃避它。 您始终需要验证该记录是否可以访问。

You need to always, always, check that user is able to access the page. That is the only way to verify that you don't show wrong data, because someone can always modify the link they are going to, even if you somehow hide it.

There is just no escaping it. You always need to verify that the record can be accessed.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文