iml*_*ell 3 php database security codeigniter
免责声明:我是网络开发的新手.
场景:我使用CodeIgniter构建了一个应用程序,最好将其描述为事件日历.应用程序中有一个共享功能,允许您与其他人共享您的活动日历.登录后,用户可以前往共享页面,并从与他们共享活动日历的人员列表中进行选择.目前,当用户选择与他们共享活动日历的人员的姓名时,会生成以下URI:
http://example.com/folder/controller/method/id
该id部分是owner_id与个人共享日历的用户的数据库中的部分.
问题:很容易id将URL 的部分更改owner_id为数据库中的其他用户.这允许这样做的人访问未授权共享其活动日历的个人的活动日历.
问题:解决此安全漏洞的方法有哪些?如果还有其他我需要提供的内容,或者以更清晰的方式解释,请告诉我.提前感谢您的时间和精力.
型号:
class Shares_model extends crud_model {
public function __construct()
{
parent::__construct();
$this->pk = 'id';
$this->table_name = 'shares';
}
public function get($shared_to_user_id)
{
$this->db->where('shared_to_id', $shared_to_user_id);
$ids = parent::get_all();
$users = array();
foreach ($ids as $id)
{
$users[$id->owner_id]['owner_id'] = $id->owner_id;
$users[$id->owner_id]['owner_first_name'] = $id->owner_first_name;
$users[$id->owner_id]['owner_last_name'] = $id->owner_last_name;
}
return $users;
}
}
查看:
<div class="panel">
<h4>Shared Planners</h4>
<ol>
<?php foreach($sharers as $s): ?>
<li><a href="<?php echo base_url('user/shared/view/'.$s['owner_id']) ?>"><strong><?php echo $s['owner_first_name']." ".$s['owner_last_name'] ?></strong></a></li>
<?php endforeach; ?>
</ol>
</div>
控制器:
class Shared extends Common_Auth_Controller {
private $end_user;
public function __construct()
{
parent::__construct();
$this->end_user = $this->ion_auth->user()->row();
$data['end_user'] = $this->end_user;
$this->load->vars($data);
$this->load->model('events_model', 'events');
}
public function index()
{
$title['title'] = 'Shared';
$this->load->model('shares_model','shares');
$data['sharers'] = $this->shares->get($this->end_user->id);
$this->load->view('public/head_view', $title);
$this->load->view('user/header_view');
$this->load->view('user/shared_view', $data);
$this->load->view('user/footer_view');
}
使用以下逻辑
<?php
// Check if user is logged in
if (!$this->ion_auth->logged_in())
{
//Not logged in , so redirect them to login page
redirect('account/login', 'refresh');
}
else{
// So the user is logged in
// Get the id of the currently logged in user ( The user who is trying to view the page )
$current_user = $this->ion_auth->get_user();
$current_userid = $current_user->id;
// you need an array of users who have been invited to that event by the event creator
// As you mentioned you are storing the users who have been invited in db, get the ids to an array
$invited_users = getIdsOfusers();
if (in_array($current_userid, $invited_users)) {
// Yes, The user who is trying to view the page has access
// you can show him the respective view
}
else {
// No, The user who is trying to view the page Doesn't have access
show_error('You dont have access !' ,500 );
}
}
?>