How to secure page mode from user injection?
Question
I have a php form page (page.php) with 3 different modes (Insert/Edit/View)
The index page (index.php) contains 3 links that's navigate to (page.php) and every link will be shown according current user roles
index.php
<html>
<body>
<div id='main'>
<a href="page.php?insertMode=true&editMode=true">Insert Student Screen</a> <br>
<a href="page.php?insertMode=false&editMode=true">Edit Student Screen</a> <br>
<a href="page.php?insertMode=false&editMode=false">View Student Screen</a> <br>
</div>
</body>
</html>
My problem
The user who have not neither insertMode nor editMode ( insertMode=false&editMode=false )
May change the values in URL then
He will open the page.php in a mode he has not its role
1 answers
solution1
5 ACCPTED 2014-08-14 09:07:56
This rights must be stored in database... Not in the URL. So, when you load your user in session, you load his rights too and can easily check if he has the right to edit or insert.
The best way is to have a table User, a table Right (contaning all available rights) and a table associating these tables (like UserRights?) where the primary key is composed of the primary key of User and of Right. Then, a user can have multiple rights.
You should take a look at this.
http://www.singingeels.com/Articles/Understanding_SQL_Many_to_Many_Relationships.aspx
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.