堆栈内存溢出
  简体   繁体   English

限制用户的票证访问

[英]Restricting ticket access to user

 原文  2020-10-26 04:38:26       php/ mysql/ mysqli

问题描述

I have a ticket system.我有一个票务系统。

Ticket ID is in $_GET which allows users to type any number into the parameter thus even accessing tickets belonging to a different user.票证 ID 在 $_GET 中,它允许用户在参数中输入任何数字,从而甚至可以访问属于不同用户的票证。

How to avoid this situation?如何避免这种情况? Can't figure it out.想不通

TO GET ALL TICKETS FOR USER:为用户获取所有门票:

<?php
// Connect to MySQL using the below function
$pdo = pdo_connect_mysql();
// MySQL query that retrieves  all the tickets from the databse
$stmt = $pdo->prepare('SELECT * FROM tickets WHERE user=:user ORDER BY created DESC');
$stmt->bindParam(":user", $_SESSION['name']);
$stmt->execute();
$tickets = $stmt->fetchAll(PDO::FETCH_ASSOC);
?>

AND VIEW PAGE并查看页面

<?php
// Connect to MySQL using the below function
$pdo = pdo_connect_mysql();
// Check if the ID param in the URL exists
if (!isset($_GET['id'])) {
    exit('No ID specified!');
}
// MySQL query that selects the ticket by the ID column, using the ID GET request variable
$stmt = $pdo->prepare('SELECT * FROM tickets WHERE id = ?');
$stmt->execute([ $_GET['id'] ]);
$ticket = $stmt->fetch(PDO::FETCH_ASSOC);
// Check if ticket exists
if (!$ticket) {
    exit('Invalid ticket ID!');
}
// Update status
if (isset($_GET['status']) && in_array($_GET['status'], array('open', 'closed', 'resolved'))) {
    $stmt = $pdo->prepare('UPDATE tickets SET status = ? WHERE id = ?');
    $stmt->execute([ $_GET['status'], $_GET['id'] ]);
    header('Location: view.php?id=' . $_GET['id']);
    exit;
}
// Check if the comment form has been submitted
if (isset($_POST['msg']) && !empty($_POST['msg'])) {
    // Insert the new comment into the "tickets_comments" table
    $stmt = $pdo->prepare('INSERT INTO tickets_comments (ticket_id, msg) VALUES (?, ?)');
    $stmt->execute([ $_GET['id'], $_POST['msg'] ]);
    header('Location: view.php?id=' . $_GET['id']);
    exit;
}
$stmt = $pdo->prepare('SELECT * FROM tickets_comments WHERE ticket_id = ? ORDER BY created DESC');
$stmt->execute([ $_GET['id'] ]);
$comments = $stmt->fetchAll(PDO::FETCH_ASSOC);
?>

1 个解决方案

解决方案1
 3 已采纳  2020-10-26 04:55:59

Add condition into SQL which retrieves ticket from MySQL:将条件添加到从 MySQL 检索票证的 SQL 中:

$stmt = $pdo->prepare('SELECT * FROM tickets WHERE id = ? AND user = ?');
$stmt->execute([ $_GET['id'], $_SESSION['name']]);
$ticket = $stmt->fetch(PDO::FETCH_ASSOC);

This is the fastest and efficient solution.这是最快、最有效的解决方案。

Alternatively, you can fetch the ticket first and then check for the user:或者,您可以先获取票证,然后检查用户:

$stmt = $pdo->prepare('SELECT * FROM tickets WHERE id = ?');
$stmt->execute([ $_GET['id'] ]);
$ticket = $stmt->fetch(PDO::FETCH_ASSOC);

// Check if ticket exists
if (!$ticket) {
    exit('Invalid ticket ID!');
}

// Check if ticket belongs to correct user
if ($ticket['user'] !== $_SESSION['name']) {
    exit('Not your ticket!');
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在Laravel中基于用户角色限制数据访问 - Restricting data access based on user role in laravel 限制用户访问特定页面 - Wordpress - Restricting user access to a particular page - Wordpress Codeigniter:限制用户访问自己的个人资料页面 - Codeigniter: Restricting user access to own profile page PHP Kerberos:检查有效票证/访问票证 - PHP Kerberos: Check for valid ticket/Access the ticket 限制变量访问 - Restricting variable access Apache限制对文件夹的访问 - Apache restricting access to a folder 限制对特定页面的访问 - Restricting access to specific pages 限制Codeigniter中的访问权限 - Restricting access in Codeigniter 限制对php文件的访问 - Restricting access to php file 在PHP中限制IFRAME访问 - Restricting IFRAME access in PHP
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM