将 id 从一个页面传递到另一个页面的最佳/最安全的方法是什么?
我正在开发一个 PHP/MySQL 消息应用程序,用户可以在其中查看对话并回复它。在消息的查看页面上,我有一个回复字段。为了保存回复,我需要知道正在回复的消息的 ID。我一直在尝试以一种既安全又可靠的方式传递这个ID。带有 POST 的简单隐藏字段无法做到这一点,因为用户可以篡改数据并修改他正在回答的消息。在视图页面上使用消息 ID 创建会话变量可以提供安全性,但会导致非常不希望的副作用:如果用户在打开他正在回复的消息后查看另一条消息,则响应将发布到另一条消息。
有人有其他选择吗?
I am working on a PHP/MySQL messaging application in which a user can see a conversation and reply to it. On the view page of the message I have a reply field. To save the reply I need to know the ID of the message which is being replied to. I have been trying to pass this ID in a way, which is both secure and reliable. A simple hidden field with a POST won't do it, since the user can tamper the data and modify which message he is answering. Creating a session variable with the id of the message on the view page provides the security but causes a highly undesirable side-effect: if the user views another message after opening the one he is replying to, the response will be posted to the other message.
Any one got any alternatives ?
您可以使用 mcrypt 库加密 id,并在 url 中传递加密形式。如果您的用户群具有西葫芦的集体智商,那么您可能可以通过简单的十六进制或 Base64 混淆来逃脱。但除此之外, mcrypt->base64 就足够了
You can encrypt the id with the mcrypt library and pass the encrypted form in the url. If your userbase has the collective IQ of a zucchini, you could probably get away with simple obfuscating as Hex or base64. But otherwise, mcrypt->base64 will be more than enough