It is terrible and shameful to have loopholes and do nothing! , vulnerability as_PHP Tutorial

Having loopholes and doing nothing is terrible and shameful! , vulnerability as

Security issue:

Whether you have permission to perform CURD, because the parameters are in the address bar and can be modified (or the parameters are in the html page, you can use firebug to modify the source code), so before performing CURD, you must first check whether the operator has this Records, for example: query whether the record belongs to the operator based on the store ID and passed parameters. If not, it will prompt (illegal operation, has been recorded!, to achieve the purpose of warning)

For example:

　

    <span>/*</span><span>
     * 校验是否有权限进行CURD
     </span><span>*/</span>
    <span>public</span> <span>function</span> check_rbac(<span>$theme_id</span><span>){
        </span><span>$model</span>=<span>M();
        </span><span>$adm_session</span> = es_session::get(<span>md5</span>(conf("BI_AUTH_KEY")), 1<span>);
        </span><span>$location_id</span>=<span>$adm_session</span>['supplier_locations'<span>];
        </span><span>$map</span>=<span>array</span>('id'=><span>$theme_id</span>,'location_id'=><span>$location_id</span><span>);
        </span><span>$result</span>=<span>$model</span>->where(<span>$map</span>)->getField('id'<span>);
        </span><span>if</span>(<span>empty</span>(<span>$result</span><span>)){
            </span><span>$this</span>->error('非法操作，已被记录！'<span>);
        }

    }</span>

　

​

http://www.bkjia.com/PHPjc/1080769.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/1080769.htmlTechArticleHaving loopholes and doing nothing is terrible and shameful! , the vulnerability is a security issue: Do you have permission to perform CURD? Because the parameters are in the address bar and can be modified (or the parameters are in the html page and can...