检查表数据是否已在firebug中操作的最简单方法是什么?
I have a table, that obviously has ids for each row. When a user clicks on a table row he is taken to a different page where it shows the full data(The different page is really the same page which is unhid after the load event).
I am picking up the click event with jquery and then sending the id to jquery load and it loads in the data.
The problem is this. If the person using the page has firebug installed he can manipulate the id on the table and maybe access something he shouldn't be accessing.
So I have had to write a function that checks the id coming in can be accessed by that user.
function checkID($searchColumn,$userColumn,$tablename,$table_id,$user_id)
{
Global $db;
$query = "SELECT `{$userColumn}` FROM $tablename WHERE `{$searchColumn}`=?";
//echo $query;
$stmt = $db->prepare($query);
$stmt->bind_param('i',$table_id);
$stmt->execute();
$stmt->bind_result($myuser_id);
if($stmt->fetch())
{
if($myuser_id==$user_id):
return true;
else:
return false;
endif;
}
}
Basically the above function gives me a true or false depending on whether that id can be accessed by the user.
Is there a better way to check if data has been manipulated in firebug on server side?
Basically I want to make sure the id being sent to the server is the same id that is in the table, and not been manipulated by firebug. Even though my function works I keep thinking perhaps there is a simpler solution. What do the professionals do?
我有一个表,显然每行都有id。 当用户点击一个表格行时,他会被带到另一个页面,在那里它显示完整的数据(不同的页面实际上是加载事件后unhid的同一页面)。 p>
我正在使用jquery接收click事件,然后将id发送到jquery load并加载到数据中。 p>
问题是这样的。 如果使用该页面的人安装了firebug,他可以操作表上的id并可能访问他不应该访问的内容。 p>
所以我必须编写一个函数来检查 进入的id可由该用户访问。 p>
function checkID($ searchColumn,$ userColumn,$ tablename,$ table_id,$ user_id)
{
Global $ db ;
$ query =“SELECT` {$ userColumn}`FROM $ tablename WHERE` {$ searchColumn}`=?”;
// echo $ query;
$ stmt = $ db-> prepare($ query );
$ stmt-> bind_param('i',$ table_id);
$ stmt-> execute();
$ stmt-> bind_result($ myuser_id);
if($ stmt-> fetch())
{
if if($ myuser_id == $ user_id):
return true;
else:
return false;
endif;
}
}
pre>
基本上上面的函数给出了一个真或假,取决于用户是否可以访问该id。 p>
是否有 更好的方法来检查数据是否已在服务器si上的firebug中操作 de? p>
基本上我想确保发送到服务器的id与表中的id相同,而不是由firebug操纵。 即使我的功能有效,我仍然在想也许有一个更简单的解决方案。 专业人士做了什么? p>
div>
Data coming from the client always needs to be validated and sanitized on the server side.
I.e. if $searchColumn, $userColumn, $tablename, $table_id and $user_id come in as request variables, you need to check each of them for validity. Especially $userColumn, $tablename and $searchColumn need to be checked carefully for SQL injections, because they are added before you call prepare().
If you don't require the flexibility, you should enter the table and column names into the string.
You may even keep the user ID on the server side (as session variable) and only set it once on login, so you can get rid of the check completely. The tables referencing the user data still need to have a column with the user ID, though.
To ensure that a user can only access the data (s)he's supposed to see, you need to include the user ID in the query.
Example:
Imagine you have orders and order items in an 1 to m relation. You show the user the list of orders (s)he has made. When the user now chooses an order to display its items you can include the user ID in the query to ensure the user cannot access orders of other users.
Then the SELECT statement may look like this:
SELECT oi.name,
oi.description
oi.price
FROM order_item oi
INNER JOIN order o ON o.id = oi.order_id
WHERE o.id = ?
AND o.userID = ?
When the user then provides an ID of another user's order, there won't be any items returned.
This could also be done in two steps by first making a query against the order table to check whether the order is assigned to the user and if so, making a query against the order items.