检查是否从Javascript设置了$ _SESSION变量
[英]Check if a $_SESSION variable is set from Javascript
问题描述
I'm building a message system to learn how it works, and I've already got pretty much everything. 
我正在构建一个消息系统来了解它是如何工作的,而且我已经拥有了很多东西。 I can log in and make a post on a board, but now I would like to be able to edit it. 我可以登录并在电路板上发帖,但现在我希望能够编辑它。 The back-end is ready, it receives a POST request 后端已准备就绪,它会收到POST请求
Basically what I need to do is check if the currently logged in user is the author of a certain post from Javascript to show or hide the edit button. 基本上我需要做的是检查当前登录的用户是否是来自Javascript的某个帖子的作者,以显示或隐藏编辑按钮。 I know how to tell if the user is logged in from PHP so that it blocks requests if you aren't the author, but I can't hide or show the buttons as the posts are dinamically generated from a <template> using JS. 我知道如何判断用户是否从PHP登录,以便在您不是作者时阻止请求,但是我无法隐藏或显示按钮,因为帖子是使用JS从<template>以动态生成的。
Login snippet: 登录片段:
$_SESSION["userid"] = $userid;
Edit check PHP snippet (kinda pseudo-code): 编辑检查PHP代码段(有点伪代码):
if ($_POST["action"] == "modifypost" && isset($_POST["postid"]) && isset($_POST["content"]))
{
$post = get_post($_POST["postid"]);
if ($post.userid != $_SESSION["userid"])
{
die("you are not allowed");
}
//MySQL queries
}
Post dynamic generation (abbreviated): 后动态生成(缩写):
function add_post(post) {
var t = document.querySelector('#historypost');
t.content.querySelector(".content").innerHTML = post.content;
var clone = document.importNode(t.content, true);
document.body.appendChild(clone);
}
I had originally thought of setting a variable with the user ID from HTML with <script> and <?php ?> , but then the user would be able to manually set that variable from the console and show the buttons. 我最初想过用<script>和<?php ?>从HTML设置一个带有用户ID的变量,但是用户可以从控制台手动设置该变量并显示按钮。
2 个解决方案
解决方案1
2 已采纳 2017-07-30 00:45:49
I had originally thought of setting a variable with the user ID from HTML with
<script>and<?php ?><script>和<?php ?>从HTML设置一个带有用户ID的变量
Yes, this is one correct approach. 是的,这是一种正确的方法。 Basically, use PHP to tell JavaScript which posts actually belong to the current user. 基本上,使用PHP告诉JavaScript哪些帖子实际上属于当前用户。
but then the user would be able to manually set that variable from the console and show the buttons
True. 真正。 There is no way to secure information from user-meddling once you've sent it to the browser. 有没有办法 ,一旦你已经将它发送到浏览器向用户干预安全信息。 This is because the user is in control of what gets executed in the browser. 这是因为用户可以控制在浏览器中执行的内容。 Instead of thinking of the button visibility as a security feature, think of it as a convenience -- something to make the user experience more pleasing. 不要将按钮可见性视为安全功能,而应将其视为一种便利 - 让用户体验更加愉悦。
Application security is really enforced on the server. 应用程序安全性确实在服务器上实施。 Just make sure that one user is not allowed to edit another user's posts, and do not trust what comes from the browser. 只是确保不允许一个用户编辑其他用户的帖子,并且不相信浏览器的内容。 Verify inputs. 验证输入。
解决方案2
1 2017-07-30 00:38:25
Ideally, I would prefer to put the post rendering logic inside the server-side. 理想情况下,我更愿意将后期渲染逻辑放在服务器端。
But as your solution is focused in javascript, an option makes PHP render a javascript variable that tells if the user is the post author. 但是当你的解决方案专注于javascript时,一个选项使PHP呈现一个javascript变量,告诉用户是否是帖子作者。
Example: 例:
Inside your PHP file, in the HTML render part you can do this: 在PHP文件中,在HTML呈现部分中,您可以执行以下操作:
<script>var isAuthor = '<?php echo ($post.userid == $_SESSION["userid"])'; ?></script>
Doing this you will have javascript script variable called isAuthor , that will have value "1" is the user is the author. 执行此操作,您将拥有名为isAuthor javascript脚本变量,其值为“1”,即用户是作者。
- -
But as I said, this doesn't look like a good approach to solve the problem. 但正如我所说,这似乎不是解决问题的好方法。 It's something that PHP can handle better, without expose your logic to the client. 这是PHP可以更好地处理的东西,而不会将您的逻辑暴露给客户端。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.