PHP寻找一种简洁的方法来防止未经授权的用户查看页面
[英]PHP looking for a neat way to prevent unauthorised users from viewing pages
问题描述
I'm looking for a way to prevent unauthorised users from viewing pages without, lets say, wrapping everything in an if authed { show page } else { show error} 
我正在寻找一种方法来阻止未经授权的用户查看页面,而不是让我们说if authed { show page } else { show error}将所有内容包装在一个if authed { show page } else { show error}
My website is currently setup like: 我的网站目前设置如下:
index.php 的index.php
require_once __WEBROOT__ . '/templates/default/header.tmpl';
require_once content('p');
require_once __WEBROOT__ . '/templates/default/footer.tmpl';
content() 内容()
function content($GETvar)
{
$content = '';
$root = __WEBROOT__;
$location = 'content';
$files = scanDirRecursive($root . '/content/');
if (isset ($_GET[$GETvar]))
{
$path = str_replace('\\', '/', $_GET[$GETvar]->toHTML());
if (in_array("$root/$location/$path", $files))
{
$content = "$root/$location/$path";
}
else
{
$content = $root . '/templates/default/errors/404.php';
}
}
else
{
$content = __WEBROOT__ . '/content/home.php';
}
return $content;
}
This works nicely. 这很好用。 When I was playing around with auth options, I chucked in a 'return' at the top of 'content' page. 当我玩auth选项时,我在“内容”页面顶部的“返回”中查看。 Which ended up preventing the content page from loading but keeping the template in tact (unlike a die()). 这最终阻止了内容页面的加载,但保持模板的机智(不像die())。
So I was wondering, is this safe? 所以我想知道,这样安全吗? Or is there an error occurring that I'm not seeing... 或者是否发生了我没有看到的错误......
5 个解决方案
解决方案1
2 2010-02-16 08:01:34
Use the front controller pattern. 使用前控制器模式。 Instead of having all your pages as individual PHP files, have a single "point of entry". 而不是将所有页面都作为单独的PHP文件,只有一个“入口点”。
Basically, have your index.php file work like index.php?p=foo where foo defines what page to show. 基本上,让index.php文件像index.php一样工作吗?p = foo其中foo定义了要显示的页面。 This way, all your requests will go through index.php, and you can include all your access checking in a single place. 这样,您的所有请求都将通过index.php,您可以在一个地方包含所有访问权限。 Remember to be careful to not allow including arbitrary files though - a common beginner mistake with this approach. 请记住要小心不要包含任意文件 - 这种方法常见的初学者错误。
However, as pointed out, you may wish to research how frameworks like Cake or Zend perform this job. 但是,正如所指出的,您可能希望研究像Cake或Zend这样的框架如何执行此工作。
解决方案2
1 2010-02-16 07:16:35
Require a login page which sets a session variable with, say, the userid. 需要一个登录页面,用于设置会话变量,例如userid。 Then on every page, call a function to check for authorization. 然后在每个页面上调用一个函数来检查授权。 It could probably be put in the header if it considers both the page and the user. 如果它同时考虑页面和用户,它可能会放在标题中。
If no user is logged in, or they aren't allowed for the page, redirect to the login page—it would be nice to add a message saying they can't use the page they requested without logging in. 如果没有用户登录,或者不允许他们访问该页面,则重定向到登录页面 - 最好添加一条消息,说明他们无法登录而无法使用他们请求的页面。
Logging out should clear the session variables. 注销应该清除会话变量。 Also, if there is to be a session timeout, record the timestamp in a session variable at times which reset the timeout. 此外,如果存在会话超时,请在重置超时的时间在会话变量中记录时间戳。
解决方案3
1
Why to reinvent the wheel? 为什么重新发明轮子? Every php framework have it's acl module, where you can set security policy with minimal amount of coding. 每个php框架都有它的acl模块,你可以用最少量的编码来设置安全策略。 Take a look at cakephp or in google acl framework... 看看cakephp或google acl框架......
解决方案4
0 2010-02-16 07:56:08
如果登录,请不要执行此操作{} else {complain,}只是将它们重定向到登录页面,如果它们未被识别,则die();
解决方案5
0 2010-02-19 08:05:28
I've found it convenient to simply throw an Exception for such things. 我发现简单地为这些东西抛出一个Exception很方便。 There are several strategies, but one might involve a scenario like: 有几种策略,但有一种可能涉及以下情况:
function show_content()
{
if( ! $user_is_allowed_to_see_this_content ) {
throw new Exception('This user may not see this content', 403);
}
// Continue on with the content code
}
By default, this will simply error out, but you can use the set_exception_handler() function to define what specifically happens when the exception is thrown. 默认情况下,这只会出错,但您可以使用set_exception_handler()函数来定义抛出异常时特别发生的情况。 This lets you define the "what to do when stuff goes wrong" logic in a separate place from your content-handling code, which I find makes things tidier. 这使您可以在与内容处理代码分开的位置定义“当出现问题时应该做什么”逻辑,我发现这使得事情变得更加整洁。
For example: 例如:
function custom_exception_handler( Exception $exception )
{
// Log the Exception
error_log( $exception->getMessage(), 0 );
// Return the generic "we screwed up" http status code
header( "HTTP/1.0 500 Internal Server Error" );
// return some error content
die("We're sorry. Something broke. Please try again.");
}
// Now tell php to use this function to handle un-caught exceptions
set_exception_handler('custom_exception_handler');
It's worth noting that this is a good general-purpose way to handle all logical failure events, and not just authentication failures. 值得注意的是,这是一种处理所有逻辑故障事件的通用方法,而不仅仅是身份验证失败。 File-not-found exceptions, validation exceptions, database query exceptions, demand-throttling exceptions; 文件未找到异常,验证异常,数据库查询异常,需求限制异常; these can all be handled in the same way and in the same place. 这些都可以以相同的方式在同一个地方处理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.