在PHP中安全地传递数据
[英]Passing data securely in PHP
问题描述
I have a site that allows user A to search for and view other users. 
我有一个允许用户A搜索和查看其他用户的站点。 When user A clicks on say user B. I pass user B's id as a GET variable. 当用户A单击用户B时,我将用户B的ID作为GET变量传递。 I then use that id inside my view to display the appropriate data. 然后,我在视图中使用该ID来显示适当的数据。 Is this good practice? 这是好习惯吗? Should I expose a users ID? 我应该公开用户ID吗?
Also, when user A is on user B's profile he can send user A a message. 同样,当用户A在用户B的个人资料上时,他可以向用户A发送消息。 How do I pass user B's id securely to my controller? 如何将用户B的ID安全地传递给我的控制器?
Any help greatly appreciated. 任何帮助,不胜感激。
2 个解决方案
解决方案1
0 2013-05-04 02:50:51
There are more than one way to do this. 有多种方法可以做到这一点。
One way that I usually use for such use cases, is to create a unique hashed identifier that is enough pseudo-random so that when that gets passed through the url, the user will not be able to just randomly change some values in it and get another user's profile. 我通常在此类用例中使用的一种方法是,创建一个足够的伪随机的唯一哈希标识符,以便当该标识符通过url传递时,用户将无法仅随机更改其中的某些值并获得另一个用户的个人资料。
Eg suppose you are passing ID, the URL would be something like: 例如,假设您要传递ID,则网址应类似于:
showProfile.php?id=1256
changing 1256 to 1257 might reveal the next user. 将1256更改为1257可能会显示下一个用户。
Supposing you pass a hashed string that is sufficiently random: 假设您传递了一个足够随机的哈希字符串:
showProfile.php?id=u4n5l4534mnk43nl34n
And such hashes do not follow sequences, so that you cannot change a character/number in order to get the next one. 而且此类哈希不遵循顺序,因此您无法更改字符/数字以获取下一个。
It also depends on how secure you want to make user data sharing between members of the site 这还取决于您希望在站点成员之间共享用户数据的安全性。
解决方案2
0
So, I am thinking that when user A clicks on user B profile, the url becomes something like site.com/profile.php?id=24 hmm? 因此,我在想,当用户A单击用户B的个人资料时,该网址会变成类似于site.com/profile.php?id=24嗯? 24 being user B's profile. 24是用户B的个人资料。 If that is the case, then there is no problem with it. 如果是这样,那就没有问题了。 At some point, when you are searching for a user's profile, you are going to echo something that is in your database, be it, his id, username, or lastname. 在某个时候,当您搜索用户的个人资料时,您将回显数据库中的某些内容,无论是其ID,用户名还是姓氏。 So, id is good, but if you need professionalism, you could even user the username, with a little bit of help from htaccess, it might as well look like site.com/profile/john 因此,id很好,但是如果您需要专业知识,您甚至可以使用用户名,并且在htaccess的帮助下,它看起来也可能像site.com/profile/john
So, in short there is no way you can echo something for each profile, which is not already in database. 因此,总之,您无法为每个配置文件回显某些内容,而该配置文件尚未在数据库中。
BUT looking at your tag, that you have mentioned mysql if you are using on profile page, something like this: 但是查看您的标签,如果您在个人资料页面上使用的话,您已经提到了mysql ,如下所示:
$user = $_GET['id'];
$query = mysql_query("SELECT * FROM USER WHERE id = '$user' ");
Well... that is Dangerous and leaves your website/database OPEN for an attack. 好吧...这很危险 ,您的网站/数据库处于打开状态,容易受到攻击。 So, if you are using something similar to above, you should use PDO 因此,如果您使用与上述类似的方法,则应使用PDO
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.