stackoom
  简体   繁体   中英

Passing data securely in PHP

 原文  2013-05-04 02:47:44       php/ mysql/ security

Question

I have a site that allows user A to search for and view other users. When user A clicks on say user B. I pass user B's id as a GET variable. I then use that id inside my view to display the appropriate data. Is this good practice? Should I expose a users ID?

Also, when user A is on user B's profile he can send user A a message. How do I pass user B's id securely to my controller?

Any help greatly appreciated.

2 answers

solution1
 0  2013-05-04 02:50:51

There are more than one way to do this.

One way that I usually use for such use cases, is to create a unique hashed identifier that is enough pseudo-random so that when that gets passed through the url, the user will not be able to just randomly change some values in it and get another user's profile.

Eg suppose you are passing ID, the URL would be something like: 

showProfile.php?id=1256

changing 1256 to 1257 might reveal the next user.

Supposing you pass a hashed string that is sufficiently random: 

showProfile.php?id=u4n5l4534mnk43nl34n

And such hashes do not follow sequences, so that you cannot change a character/number in order to get the next one.

It also depends on how secure you want to make user data sharing between members of the site

solution2
 0  

So, I am thinking that when user A clicks on user B profile, the url becomes something like site.com/profile.php?id=24 hmm? 24 being user B's profile. If that is the case, then there is no problem with it. At some point, when you are searching for a user's profile, you are going to echo something that is in your database, be it, his id, username, or lastname. So, id is good, but if you need professionalism, you could even user the username, with a little bit of help from htaccess, it might as well look like site.com/profile/john

So, in short there is no way you can echo something for each profile, which is not already in database.

BUT looking at your tag, that you have mentioned mysql if you are using on profile page, something like this: 

$user  = $_GET['id'];
$query = mysql_query("SELECT * FROM USER WHERE id = '$user' ");

Well... that is Dangerous and leaves your website/database OPEN for an attack. So, if you are using something similar to above, you should use PDO

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Passing PHP data value to javascript securely securely passing sensitive data from PHP to javascript PHP - Passing data from a site to another site securely passing php object through $_POST securely Securely Passing Javascript Variables to PHP (Using AJAX) Passing variables html forms in PHP securely Saving session data securely in PHP Storing Data Securely using PHP Php + mysql insert data securely php securely retrieve session data
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM