如何保护传递给另一个页面的查询字符串或参数
[英]How to protect querystring or parameters passed to another page
问题描述
I have a scenario which displays list of products in a tabular format and one of the column has a link to the product page. 
我有一个方案,以表格格式显示产品列表,并且其中一列具有指向产品页面的链接。
<td> <a href="/ViewProduct/{{$request->prd_ID}}/{{$request->usr_ID}}" id="link" > Product </a> </td>
The route is as follows: 路线如下:
Route::get('ViewProduct/{pid?}/{uid?}', 'ViewProductController@Page_Load');
and the URL would be: 该网址为:
http://example.com/ViewProduct/11/4
This approach directly exposes the product id and user id and can be modified easily in the browser. 这种方法直接公开了产品ID和用户ID,可以在浏览器中轻松进行修改。 Any inputs on how to address these concerns in php/laravel? 在php / laravel中如何解决这些问题的任何输入?
1 个解决方案
解决方案1
1 已采纳 2015-02-06 06:31:21
This is really not something you should worry about, it's a pointless waste of time. 这确实不是您应该担心的事情,这是浪费时间。 Somebody changes the URL from a 2 to a 3 and they'll see a different page... so what?! 有人将URL从2更改为3然后他们会看到不同的页面... 那又如何呢! If they're allowed to see that page in the first place, ie if they could click around on your site and eventually discover this page, then what's the issue? 如果允许他们首先查看该页面,即,如果他们可以在您的网站上单击并最终找到该页面,那么问题是什么? They just took a shortcut. 他们只是走捷径。 If they're not allowed to see that page... well, you're doing authorisation checks when someone is requesting that page, aren't you? 如果他们不能看到网页...好了,你做的授权检查,当有人请求页面,是不是? If you are, then there's no issue at all. 如果是的话,那根本就没有问题。 If you're not, then that's your real problem. 如果您不是,那就是您的真正问题。 Trying to keep URLs "secret" and "unguessable" is impossible, just do proper authorisation checks. 尝试保持URL的“秘密”和“不可用”是不可能的,只需进行适当的授权检查即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.