0

我有一个管理页面,列出了一堆记录,每条记录旁边都有一个复选框,将其设置为“活动”状态。每个复选框都有一个值,该值与数据库中记录的 ID 相关联。如果有人使用 FireBug,他们可以轻松地将复选框的值更改为不同的数字,从而影响数据库中的错误记录。

我并不非常担心这种情况的发生,因为它只是一个只有一个用户的管理页面,我敢肯定他对 FireBug 一无所知.. 但我只是好奇,以防我将来遇到这个问题一个更面向公众的页面。

这是我目前拥有的代码,因此您可以了解我在做什么。

HTML + PHP..

<input type="checkbox" class="active" name="active<?php echo $id; ?>" id="active<?php echo $id; ?>" <?php if ($active == 1): ?>checked="checked"<?php endif; ?> value="<?php echo $id; ?>">

jQuery ajax..

$("input.active").click(function() {

var loader = $(this).prev().prev();

$(loader).css("visibility","visible");
// store the values from the form checkbox box, then send via ajax below
var check_active = $(this).is(':checked') ? 1 : 0;
var check_id = $(this).attr('value');

console.log(check_active);
console.log(check_id);

    $.ajax({
        type: "POST",
        url: "active.php",
        data: {id: check_id, active: check_active},
        success: function(){
            $(loader).css("visibility","hidden");

        }
    });
return true;
});

这里是active.php ..

<?php

include("dbinfo.php");
mysql_connect($server,$username,$password);
@mysql_select_db($database) or die( "Unable to select database"); 

$active = mysql_real_escape_string($_POST['active']);
$id = mysql_real_escape_string($_POST['id']);

$addEntry = "UPDATE entries SET active = '$active' WHERE id = '$id'";
mysql_query($addEntry) or die(mysql_error());


mysql_close();
?>
4

2 回答 2

2

您应该在其中设置一个$_SESSION包含其帐户信息的值,因此如果他们尝试访问不存在的帐户,您可以捕获它并适当地标记它。只需他们帐户的 ID 号就足够了。你绝对应该把它放在隐藏字段或用户可以更改它的任何地方。

于 2012-06-22T14:04:37.277 回答
1

You can't.

firebug has full control over the HTML.

But your not worried about HTML, your actually worried that the user will do something funky in active.php, which is exactly where you should add more protection.

If an admin has the right to edit the active state of entries, then he should be able to edit any entry he wants in any way that you will allow it.

The security issue that you describe where some malicious admin can change the id in the HTML and have the wrong record change the active state is nothing compared to an even more malicious user that can send a post request to your active.php page just like your ajax script does, but using his server, effectively having access to change any active state on any entry.

What you should do is to perform some kind of authentication on the active.php

Be it using SESSIONS or HTTP

于 2012-06-22T14:11:34.123 回答