[英]Restricting ticket access to user
I have a ticket system.我有一个票务系统。
Ticket ID is in $_GET which allows users to type any number into the parameter thus even accessing tickets belonging to a different user.票证 ID 在 $_GET 中,它允许用户在参数中输入任何数字,从而甚至可以访问属于不同用户的票证。
How to avoid this situation?如何避免这种情况? Can't figure it out.
想不通
TO GET ALL TICKETS FOR USER:为用户获取所有门票:
<?php
// Connect to MySQL using the below function
$pdo = pdo_connect_mysql();
// MySQL query that retrieves all the tickets from the databse
$stmt = $pdo->prepare('SELECT * FROM tickets WHERE user=:user ORDER BY created DESC');
$stmt->bindParam(":user", $_SESSION['name']);
$stmt->execute();
$tickets = $stmt->fetchAll(PDO::FETCH_ASSOC);
?>
AND VIEW PAGE并查看页面
<?php
// Connect to MySQL using the below function
$pdo = pdo_connect_mysql();
// Check if the ID param in the URL exists
if (!isset($_GET['id'])) {
exit('No ID specified!');
}
// MySQL query that selects the ticket by the ID column, using the ID GET request variable
$stmt = $pdo->prepare('SELECT * FROM tickets WHERE id = ?');
$stmt->execute([ $_GET['id'] ]);
$ticket = $stmt->fetch(PDO::FETCH_ASSOC);
// Check if ticket exists
if (!$ticket) {
exit('Invalid ticket ID!');
}
// Update status
if (isset($_GET['status']) && in_array($_GET['status'], array('open', 'closed', 'resolved'))) {
$stmt = $pdo->prepare('UPDATE tickets SET status = ? WHERE id = ?');
$stmt->execute([ $_GET['status'], $_GET['id'] ]);
header('Location: view.php?id=' . $_GET['id']);
exit;
}
// Check if the comment form has been submitted
if (isset($_POST['msg']) && !empty($_POST['msg'])) {
// Insert the new comment into the "tickets_comments" table
$stmt = $pdo->prepare('INSERT INTO tickets_comments (ticket_id, msg) VALUES (?, ?)');
$stmt->execute([ $_GET['id'], $_POST['msg'] ]);
header('Location: view.php?id=' . $_GET['id']);
exit;
}
$stmt = $pdo->prepare('SELECT * FROM tickets_comments WHERE ticket_id = ? ORDER BY created DESC');
$stmt->execute([ $_GET['id'] ]);
$comments = $stmt->fetchAll(PDO::FETCH_ASSOC);
?>
Add condition into SQL which retrieves ticket from MySQL:将条件添加到从 MySQL 检索票证的 SQL 中:
$stmt = $pdo->prepare('SELECT * FROM tickets WHERE id = ? AND user = ?');
$stmt->execute([ $_GET['id'], $_SESSION['name']]);
$ticket = $stmt->fetch(PDO::FETCH_ASSOC);
This is the fastest and efficient solution.这是最快、最有效的解决方案。
Alternatively, you can fetch the ticket first and then check for the user:或者,您可以先获取票证,然后检查用户:
$stmt = $pdo->prepare('SELECT * FROM tickets WHERE id = ?');
$stmt->execute([ $_GET['id'] ]);
$ticket = $stmt->fetch(PDO::FETCH_ASSOC);
// Check if ticket exists
if (!$ticket) {
exit('Invalid ticket ID!');
}
// Check if ticket belongs to correct user
if ($ticket['user'] !== $_SESSION['name']) {
exit('Not your ticket!');
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.