广告合作QQ:76874919

php – CodeIgniter应用程序中的URL安全性

PHP 2020-08-21
免责声明:我是网络开发的新手.

场景:我使用CodeIgniter构建了一个应用程序,最好将其描述为事件日历.应用程序中有一个共享功能,允许您与其他人共享您的活动日历.登录后,用户可以前往共享页面,并从与他们共享活动日历的人员列表中进行选择.目前,当用户选择与他们共享活动日历的人员的姓名时,会生成以下URI:

http://example.com/folder/controller/method/id

id部分是与个人共享其日历的用户数据库中的owner_id.

问题:很容易将URL的id部分更改为数据库中的另一个用户的owner_id.这允许这样做的人访问未授权共享其活动日历的个人的活动日历.

问题:解决此安全漏洞的方法有哪些?如果还有其他我需要提供的内容,或者以更清晰的方式解释,请告诉我.提前感谢您的时间和精力.

模型:

class Shares_model extends crud_model {

    public function __construct()
    {
        parent::__construct();

        $this->pk = 'id';
        $this->table_name = 'shares';
    }

    public function get($shared_to_user_id)
    {
        $this->db->where('shared_to_id',$shared_to_user_id);
        $ids = parent::get_all();

        $users = array();

        foreach ($ids as $id)
        {
            $users[$id->owner_id]['owner_id'] = $id->owner_id;
            $users[$id->owner_id]['owner_first_name'] = $id->owner_first_name;
            $users[$id->owner_id]['owner_last_name'] = $id->owner_last_name;
        }

        return $users;
    }   
}

视图:

<div class="panel">
    <h4>Shared Planners</h4>
        <ol>
            <?PHP foreach($sharers as $s): ?>
            <li><a href="<?PHP echo base_url('user/shared/view/'.$s['owner_id']) ?>"><strong><?PHP echo $s['owner_first_name']." ".$s['owner_last_name'] ?></strong></a></li>
            <?PHP endforeach; ?>
        </ol>
</div>

控制器:

class Shared extends Common_Auth_Controller {

    private $end_user;

    public function __construct()
    {
        parent::__construct();

        $this->end_user = $this->ion_auth->user()->row();
        $data['end_user'] = $this->end_user;
        $this->load->vars($data);

        $this->load->model('events_model','events');
    }

    public function index()
    {
        $title['title'] = 'Shared';

        $this->load->model('shares_model','shares');

        $data['sharers'] = $this->shares->get($this->end_user->id);

        $this->load->view('public/head_view',$title);
        $this->load->view('user/header_view');
        $this->load->view('user/shared_view',$data);
        $this->load->view('user/footer_view');
    }

解决方法

使用以下逻辑 

<?PHP
            // Check if user is logged in 
            if (!$this->ion_auth->logged_in())
            {
                //Not logged in,so redirect them to login page
                redirect('account/login','refresh');
            }

            else{
            // So the user is logged in 
            // Get the id of the currently logged in user ( The user who is trying to view the page )
            $current_user = $this->ion_auth->get_user();
            $current_userid = $current_user->id;


            // you need an array of users who have been invited to that event by the event creator
            // As you mentioned you are storing the users who have been invited in db,get the ids to an array 

            $invited_users = getIdsOfusers();

            if (in_array($current_userid,$invited_users)) {
                // Yes,The user who is trying to view the page has access
                // you can show him the respective view
            }
            else {
                // No,The user who is trying to view the page Doesn't have  access
                show_error('You dont have access !',500 );
            }
    }

    ?>

相关文章

Hessian通讯协议【附PHP源代码】
Hessian开源的远程通讯,采用二进制 RPC的协议,基于 HTTP 传输。可以实现PHP调用Java,Python,C#等多语...
初识Mongodb总结
初识Mongodb的一些总结,在Mac Os X下真实搭建mongodb环境,以及分享个Mongodb管理工具,学习期间一些总结...
初识Mongodb之[CURD]-PHP版
边看边操作,这样才能记得牢,实践是检验真理的唯一标准.光看不练假把式,光练不看傻把式,边看边练真把式....
php学习日志 - echo&print
在php中,结果输出一共有两种方式:echo和print,下面将对两种方式做一个比较。 echo与print的区别: (...
The mbstring extension is missing. Please check your PHP configuration错误及解决方法
在安装好wampServer后,一直没有使用phpMyAdmin,今天用了一下,phpMyAdmin显示错误:The mbstring exte...
php学习日志 - php变量
变量是用于存储数据的容器,与代数相似,可以给变量赋予某个确定的值(例如:$x=3)或者是赋予其它的变...