It is terrible and shameful to have loopholes and do nothing!

WBOY
Release: 2016-07-29 09:10:29
Original
850 people have browsed it

 Security issue:

 Do you have permission to perform CURD? Because the parameters are in the address bar and can be modified (or the parameters are in the html page, you can use firebug to modify the source code), so before performing CURD, you must first check whether the operator Own this record, for example: query whether this record belongs to this operator based on the store ID and passed parameters. If it does not, it will prompt (illegal operation, has been recorded!, to achieve the purpose of warning)

For example:

/* * 校验是否有权限进行CURD */publicfunction check_rbac($theme_id){ $model=M(); $adm_session = es_session::get(md5(conf("BI_AUTH_KEY")), 1); $location_id=$adm_session['supplier_locations']; $map=array('id'=>$theme_id,'location_id'=>$location_id); $result=$model->where($map)->getField('id'); if(empty($result)){ $this->error('非法操作,已被记录!'); } }
Copy after login

The above has introduced that it is terrible and shameful to have loopholes and do nothing! , including relevant content, I hope it will be helpful to friends who are interested in PHP tutorials.

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Recommendations
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!