[英]Prevent Users from Performing an Action Twice
We have some problems with users performing a specific action twice, we have a mechanism to ensure that users can't do it but somehow it still happens. 用户在两次执行特定操作时会遇到一些问题,我们有一种机制可以确保用户无法执行操作,但仍会以某种方式发生。 Here is how our current mechanism works:
这是我们当前机制的工作方式:
However, with all these measures, still there are users able to perform the action twice, are there any more safer methods? 但是,通过所有这些措施,仍然有用户能够执行两次该操作,还有其他更安全的方法吗?
Here is the partial code for the database side: 这是数据库端的部分代码:
$db->beginTransaction();
// Get the user's datas
$user = $db->queryRow("SELECT flag FROM users WHERE userid = {$auth->getProperty('auth_user_id)}");
if ($user['flag'] != 0) {
$db->rollback();
// Return with error
return false;
}
// Proceed with performing the action
// --- Action Here ---
// Double checking process, the user data is retrieved again
$user = $db->queryRow("SELECT flag FROM users WHERE userid = {$auth->getProperty('auth_user_id)}");
if ($user['flag'] != 0) {
$db->rollback();
// Return with error
return false;
}
// --- The final inserting query ---
// Update the flag
$db->query("UPDATE users SET flag = 1 WHERE userid = {$auth->getProperty('auth_user_id)}");
$db->commit();
return true;
It is good to see that you have taken all measures to defeat the bad guys. 很高兴看到您已采取一切措施击败了坏蛋。 Speaking in terms of bad guys:
说到坏家伙:
Client side: This can easily be bypassed by simply disabling javascript. 客户端:只需禁用javascript,就可以轻松绕过此漏洞。 Good to have anyways but again not against bad guys.
无论如何还是有好感,但又不是对付坏蛋。
Server side: This is important, however make sure that you generate a different hash/key with each submission. 服务器端:这很重要,但是请确保您为每个提交生成不同的哈希/密钥。 Here is a good tutorial at nettutes on how to submit forms in a secure fashion.
这是nettutes上的一个很好的教程,介绍如何以安全的方式提交表单。
Database side: Not sure but I suspect, there might be SQL injection problem. 数据库方面:不确定,但我怀疑可能存在SQL注入问题。 See more info about the SQL Injection and how to possibly fix that.
查看有关SQL注入以及如何解决此问题的更多信息。
Finally: 最后:
I would recommend to you to check out the: 我建议您检查一下:
The OWASP PHP Project's goal (OWASP PHP Project Roadmap) is to enable developers, systems administrators and application architects to build and deploy secure applications built using the PHP programming language. OWASP PHP项目的目标(OWASP PHP项目路线图)旨在使开发人员,系统管理员和应用程序设计师能够构建和部署使用PHP编程语言构建的安全应用程序。
Well the JS method and Hash method may be cheated by some notorious guy, but 3rd method seems to be very good in order to protect the redundancy. JS方法和Hash方法可能被一些臭名昭著的家伙所欺骗,但是为了保护冗余,第3种方法似乎非常好。 There must be some programming flaw to get passed this.
要通过此程序,必须存在一些编程缺陷。
Why don't u just check the flag field on the page where you are inserting the values rather than where user performing the action (if you are doing it now) 您为什么不只检查页面上的标记字段,而不是在用户执行操作的位置(如果您现在正在执行操作),则在其中插入值
Pseudocode follows: 伪代码如下:
<?
$act_id; // contains id of action to be executed
$h = uniqid('');
// this locks action (if it is unlocked) and marks it as being performed by me.
UPDATE actions SET executor = $h WHERE act_id = $act_id AND executor = '';
SELECT * FROM actions WHERE executor = $h;
//
// If above query resulted in some action execute it here
//
// if you want to allow for executing this exact action in the future mark it as not executed
UPDATE actions SET executor = '' WHERE act_id = $act_id;
Important things: 重要的事:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.