Home > Article > Backend Development > It is terrible and shameful to have loopholes and do nothing!
It is terrible and shameful to have loopholes and do nothing!
- WBOYOriginal
- 2016-07-29 09:10:29864browse
Security issue:
Do you have permission to perform CURD? Because the parameters are in the address bar and can be modified (or the parameters are in the html page, you can use firebug to modify the source code), so before performing CURD, you must first check whether the operator Own this record, for example: query whether this record belongs to this operator based on the store ID and passed parameters. If it does not, it will prompt (illegal operation, has been recorded!, to achieve the purpose of warning)
For example:
<span>/*</span><span> * 校验是否有权限进行CURD
</span><span>*/</span><span>public</span><span>function</span> check_rbac(<span>$theme_id</span><span>){
</span><span>$model</span>=<span>M();
</span><span>$adm_session</span> = es_session::get(<span>md5</span>(conf("BI_AUTH_KEY")), 1<span>);
</span><span>$location_id</span>=<span>$adm_session</span>['supplier_locations'<span>];
</span><span>$map</span>=<span>array</span>('id'=><span>$theme_id</span>,'location_id'=><span>$location_id</span><span>);
</span><span>$result</span>=<span>$model</span>->where(<span>$map</span>)->getField('id'<span>);
</span><span>if</span>(<span>empty</span>(<span>$result</span><span>)){
</span><span>$this</span>->error('非法操作,已被记录!'<span>);
}
}</span>
The above has introduced that it is terrible and shameful to have loopholes and do nothing! , including relevant content, I hope it will be helpful to friends who are interested in PHP tutorials.