问题描述:

How do people usually verify that the information being fetched from a database is indeed related to the active user?

For example: let's say we list a group of PMs inside user x's inbox - how do I make sure that only user x can fetch something from the inbox, and not someone else (this would be done by "hacking" the address ofcourse).

Obviously I could just compare the active username with what is in the database table, but is there no easy way I can control this globally somehow, without having to compare the active username with hundreds of different tables for different actions?

网友答案:

Supposedly you're fetching the messages of the logged in user to begin with, no? Something like:

"SELECT * FROM `messages` WHERE `recipient` = '$loggedInUserId'"

If so, I don't understand the question. If that's not what you're doing, you're doing something wrong.

网友答案:

Well your application tracks users sessions, and ensures security. I.e. when user logins server sets cookie with session id, and by session variable your server upon request of page will know what user is really requesting something(or maybe no logged in user at all if there is no cookie), thus your application may use user id from session and request url to figure out if it should show what is requested, or show error message or redirect because user is trying to access what is not his. Of course this is a bit more involving but thats a start. I suggest reading on php sessions and cookies.

网友答案:

That is what database query conditionals are for... only selecting the relative data.

Generally once the person is logged in you would get their username and password from $_SESSION variables, query the database to make sure they are a valid user, then grab whatever you need using a WHERE username = '$username'

相关阅读:
Top