[英]Ticket system in php vulnerabilities
I am building a ticket system for some website from which the user can book tickets for some event.我正在为某个网站建立一个票务系统,用户可以从中预订某些活动的门票。 My mechanism of booking goes like that:
我的预订机制是这样的:
Here is the problem: any malicious user could know the url to which the successful checkout gets redirected, by observing the network tap in the developer tools, and send requests to this page "generate_ticket.php" and get free tickets.这就是问题所在:任何恶意用户都可以通过观察开发者工具中的网络点击,了解成功结账被重定向到的 url,并向此页面“generate_ticket.php”发送请求并获得免费门票。
Here is what I thought of to fix this problem:这是我想解决这个问题的方法:
$_SERVER['HTTP_REFERER']
variable for the referer URL and compare it with the URL from paypal.$_SERVER['HTTP_REFERER']
变量,并将其与 paypal 中的 URL 进行比较。 But the problem is that, as mentioned in the manual .The address of the page (if any) which referred the user agent to the current page.
将用户代理引向当前页面的页面地址(如果有)。 This is set by the user agent.
这是由用户代理设置的。 Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature.
不是所有的用户代理都会设置这个,有些提供修改 HTTP_REFERER 作为一个特性的能力。 In short, it cannot really be trusted.
简而言之,它不能真正被信任。
This variable can be modified.这个变量可以修改。 So, it is not reliable, at least not alone.
所以,它是不可靠的,至少不是单独的。
So, does anybody have any solution to fix these vulnerabilities or prevent the user from requesting free tickets?那么,是否有人有任何解决方案来修复这些漏洞或阻止用户请求免费门票?
Paypal has a feature called IPN, basically you will not directly send tickets to user once u get data on generate_ticket.php, Once a transaction is created u might inserting a record in db with Pending state and update it on response of paypal, here IPN comes into play, after the transaction gets completed paypal will send a post request you provide as notify_url where you will handle the script of sending user his tickets. Paypal has a feature called IPN, basically you will not directly send tickets to user once u get data on generate_ticket.php, Once a transaction is created u might inserting a record in db with Pending state and update it on response of paypal, here IPN开始发挥作用,交易完成后 paypal 将发送一个您提供为 notify_url 的发布请求,您将在其中处理向用户发送门票的脚本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.