堆棧內存溢出
  簡體   English   中英

限制用戶的票證訪問

[英]Restricting ticket access to user

 原文  2020-10-26 04:38:26       php/ mysql/ mysqli

問題描述

我有一個票務系統。

票證 ID 在 $_GET 中,它允許用戶在參數中輸入任何數字,從而甚至可以訪問屬於不同用戶的票證。

如何避免這種情況? 想不通

為用戶獲取所有門票:

<?php
// Connect to MySQL using the below function
$pdo = pdo_connect_mysql();
// MySQL query that retrieves  all the tickets from the databse
$stmt = $pdo->prepare('SELECT * FROM tickets WHERE user=:user ORDER BY created DESC');
$stmt->bindParam(":user", $_SESSION['name']);
$stmt->execute();
$tickets = $stmt->fetchAll(PDO::FETCH_ASSOC);
?>

並查看頁面

<?php
// Connect to MySQL using the below function
$pdo = pdo_connect_mysql();
// Check if the ID param in the URL exists
if (!isset($_GET['id'])) {
    exit('No ID specified!');
}
// MySQL query that selects the ticket by the ID column, using the ID GET request variable
$stmt = $pdo->prepare('SELECT * FROM tickets WHERE id = ?');
$stmt->execute([ $_GET['id'] ]);
$ticket = $stmt->fetch(PDO::FETCH_ASSOC);
// Check if ticket exists
if (!$ticket) {
    exit('Invalid ticket ID!');
}
// Update status
if (isset($_GET['status']) && in_array($_GET['status'], array('open', 'closed', 'resolved'))) {
    $stmt = $pdo->prepare('UPDATE tickets SET status = ? WHERE id = ?');
    $stmt->execute([ $_GET['status'], $_GET['id'] ]);
    header('Location: view.php?id=' . $_GET['id']);
    exit;
}
// Check if the comment form has been submitted
if (isset($_POST['msg']) && !empty($_POST['msg'])) {
    // Insert the new comment into the "tickets_comments" table
    $stmt = $pdo->prepare('INSERT INTO tickets_comments (ticket_id, msg) VALUES (?, ?)');
    $stmt->execute([ $_GET['id'], $_POST['msg'] ]);
    header('Location: view.php?id=' . $_GET['id']);
    exit;
}
$stmt = $pdo->prepare('SELECT * FROM tickets_comments WHERE ticket_id = ? ORDER BY created DESC');
$stmt->execute([ $_GET['id'] ]);
$comments = $stmt->fetchAll(PDO::FETCH_ASSOC);
?>

1 個解決方案

解決方案1
 3 已采納  2020-10-26 04:55:59

將條件添加到從 MySQL 檢索票證的 SQL 中:

$stmt = $pdo->prepare('SELECT * FROM tickets WHERE id = ? AND user = ?');
$stmt->execute([ $_GET['id'], $_SESSION['name']]);
$ticket = $stmt->fetch(PDO::FETCH_ASSOC);

這是最快、最有效的解決方案。

或者,您可以先獲取票證,然后檢查用戶:

$stmt = $pdo->prepare('SELECT * FROM tickets WHERE id = ?');
$stmt->execute([ $_GET['id'] ]);
$ticket = $stmt->fetch(PDO::FETCH_ASSOC);

// Check if ticket exists
if (!$ticket) {
    exit('Invalid ticket ID!');
}

// Check if ticket belongs to correct user
if ($ticket['user'] !== $_SESSION['name']) {
    exit('Not your ticket!');
}

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 在Laravel中基於用戶角色限制數據訪問 限制用戶訪問特定頁面 - Wordpress Codeigniter:限制用戶訪問自己的個人資料頁面 PHP Kerberos:檢查有效票證/訪問票證 限制變量訪問 Apache限制對文件夾的訪問 限制對特定頁面的訪問 限制Codeigniter中的訪問權限 限制對php文件的訪問 在PHP中限制IFRAME訪問
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM