PHP+MYSQL 程序被攻击,求应对方法
类似购物的程序,程序上的流程是这样的:
1、用户发起请求,下单
2、检查各种参数是否齐全、有效
3、检查用户余额是否足够
4、写入订单表
5、写入用户表,将用户余额减少
6、写入记录表,记录用户下单买的啥,以及花了多少钱
今天发现一个神奇的用户,他在1秒钟之内下了20单!至于是不是1秒钟无从查起,因为数据库只精确到秒。
更奇怪的是:
1、明明没有足够的余额,却继续进入了后续的步骤
2、写入订单表成功、写入记录表成功,但是就是没有扣余额
我想来想去也没弄明白这是怎么回事儿,各位遇到过么?有何应对方法?
** 其他用户是完全正常的,只有这个瞬间下很多单的不正常。
<code> public function orderCreate(Request $request, Response $response) {
if(!$user = session('wechat.oauth_user')){
return response()->json([
'error' => '身份驗證失敗,請重新打開頁面再試'
]);
}
if(is_null($request->input('object', NULL))
|| is_null($request->input('stake', NULL))
|| is_null($request->input('time', NULL))
|| is_null($request->input('direction', NULL))){
return response()->json([
'error' => '參數提交不全,請重新打開頁面再試'
]);
}
if($request->input('stake') != 20
&& $request->input('stake') != 50
&& $request->input('stake') != 100
&& $request->input('stake') != 200
&& $request->input('stake') != 500
&& $request->input('stake') != 1000
&& $request->input('stake') != 2000
&& $request->input('stake') != 3000){
return response()->json([
'error' => '參數提交錯誤,請重新打開頁面再試'
]);
}
if($request->input('time') != 60
&& $request->input('time') != 120
&& $request->input('time') != 180
&& $request->input('time') != 240
&& $request->input('time') != 300){
return response()->json([
'error' => '參數提交錯誤,請重新打開頁面再試'
]);
}
if($request->input('direction') != 1
&& $request->input('direction') != 0){
return response()->json([
'error' => '參數提交錯誤,請重新打開頁面再試'
]);
}
if(!$object = Object::find($request->input('object'))){
return response()->json([
'error' => '參數提交錯誤,請重新打開頁面再試'
]);
}
$object_latestPrice = Price::where('id_object', $object->id)->orderBy('created_at', 'desc')->first();
if((strtotime($object_latestPrice->body_price_time) + 300) json([
'error' => '休市期間無法進行交易'
]);
}
if(!$user = User::where('id_wechat', $user->id)->first()){
return response()->json([
'error' => '身份驗證失敗,請重新打開頁面再試'
]);
}
if(floatval($user->body_balance) input('stake')){
return response()->json([
'error' => '帳戶可用餘額不足,請先充值後再交易'
]);
}
if($user->is_disabled > 0){
return response()->json([
'error' => '帳戶已被封禁,无法进行交易'
]);
}
$order = new Order;
$order->id_user = $user->id;
$order->id_object = $object->id;
$order->body_price_buying = $object_latestPrice->body_price;
$order->body_stake = $request->input('stake');
$order->body_bonus = $object->body_profit * $request->input('stake');
$order->body_direction = $request->input('direction');
$order->body_time = $request->input('time');
$order->save();
$user->body_balance = floatval($user->body_balance) - floatval($order->body_stake);
$user->body_transactions = floatval($user->body_transactions) + floatval($order->body_stake);
$user->save();
$record = new Record;
$record->id_user = $user->id;
$record->id_order = $order->id;
$record->body_name = $request->input('direction') == 1? '買入看漲' : '買入看跌';
$record->body_direction = 0;
$record->body_stake = $order->body_stake;
$record->save();
return response()->json([
'result' => $order->toArray()
]);
}</code>UPDATE:
现在在一大堆的条件判断之后,希望改成事物来处理这件事,但是 Laravel 的事务这么写正确么?或者说我这么写的话能够起到我想要的作用么?有点懵 - -
<code> DB::beginTransaction();
$user->body_balance = floatval($user->body_balance) - $request->input('stake');
$user->body_transactions = floatval($user->body_transactions) + $request->input('stake');
$user->save();
if($user->body_balance id_user = $user->id;
$order->id_object = $object->id;
$order->body_price_buying = $object_latestPrice->body_price;
$order->body_stake = $request->input('stake');
$order->body_bonus = $object->body_profit * $request->input('stake');
$order->body_direction = $request->input('direction');
$order->body_time = $request->input('time');
$order->save();
$record = new Record;
$record->id_user = $user->id;
$record->id_order = $order->id;
$record->body_name = $request->input('direction') == 1? '買入看漲' : '買入看跌';
$record->body_direction = 0;
$record->body_stake = $order->body_stake;
$record->save();
$this->computeNetwork($user, $order);
if($order->body_time == 60) $this->computePrice($user, $order, $object);
}
DB::commit();</code>回复内容:
类似购物的程序,程序上的流程是这样的:
1、用户发起请求,下单
2、检查各种参数是否齐全、有效
3、检查用户余额是否足够
4、写入订单表
5、写入用户表,将用户余额减少
6、写入记录表,记录用户下单买的啥,以及花了多少钱
今天发现一个神奇的用户,他在1秒钟之内下了20单!至于是不是1秒钟无从查起,因为数据库只精确到秒。
更奇怪的是:
1、明明没有足够的余额,却继续进入了后续的步骤
2、写入订单表成功、写入记录表成功,但是就是没有扣余额
我想来想去也没弄明白这是怎么回事儿,各位遇到过么?有何应对方法?
** 其他用户是完全正常的,只有这个瞬间下很多单的不正常。
<code> public function orderCreate(Request $request, Response $response) {
if(!$user = session('wechat.oauth_user')){
return response()->json([
'error' => '身份驗證失敗,請重新打開頁面再試'
]);
}
if(is_null($request->input('object', NULL))
|| is_null($request->input('stake', NULL))
|| is_null($request->input('time', NULL))
|| is_null($request->input('direction', NULL))){
return response()->json([
'error' => '參數提交不全,請重新打開頁面再試'
]);
}
if($request->input('stake') != 20
&& $request->input('stake') != 50
&& $request->input('stake') != 100
&& $request->input('stake') != 200
&& $request->input('stake') != 500
&& $request->input('stake') != 1000
&& $request->input('stake') != 2000
&& $request->input('stake') != 3000){
return response()->json([
'error' => '參數提交錯誤,請重新打開頁面再試'
]);
}
if($request->input('time') != 60
&& $request->input('time') != 120
&& $request->input('time') != 180
&& $request->input('time') != 240
&& $request->input('time') != 300){
return response()->json([
'error' => '參數提交錯誤,請重新打開頁面再試'
]);
}
if($request->input('direction') != 1
&& $request->input('direction') != 0){
return response()->json([
'error' => '參數提交錯誤,請重新打開頁面再試'
]);
}
if(!$object = Object::find($request->input('object'))){
return response()->json([
'error' => '參數提交錯誤,請重新打開頁面再試'
]);
}
$object_latestPrice = Price::where('id_object', $object->id)->orderBy('created_at', 'desc')->first();
if((strtotime($object_latestPrice->body_price_time) + 300) json([
'error' => '休市期間無法進行交易'
]);
}
if(!$user = User::where('id_wechat', $user->id)->first()){
return response()->json([
'error' => '身份驗證失敗,請重新打開頁面再試'
]);
}
if(floatval($user->body_balance) input('stake')){
return response()->json([
'error' => '帳戶可用餘額不足,請先充值後再交易'
]);
}
if($user->is_disabled > 0){
return response()->json([
'error' => '帳戶已被封禁,无法进行交易'
]);
}
$order = new Order;
$order->id_user = $user->id;
$order->id_object = $object->id;
$order->body_price_buying = $object_latestPrice->body_price;
$order->body_stake = $request->input('stake');
$order->body_bonus = $object->body_profit * $request->input('stake');
$order->body_direction = $request->input('direction');
$order->body_time = $request->input('time');
$order->save();
$user->body_balance = floatval($user->body_balance) - floatval($order->body_stake);
$user->body_transactions = floatval($user->body_transactions) + floatval($order->body_stake);
$user->save();
$record = new Record;
$record->id_user = $user->id;
$record->id_order = $order->id;
$record->body_name = $request->input('direction') == 1? '買入看漲' : '買入看跌';
$record->body_direction = 0;
$record->body_stake = $order->body_stake;
$record->save();
return response()->json([
'result' => $order->toArray()
]);
}</code>UPDATE:
现在在一大堆的条件判断之后,希望改成事物来处理这件事,但是 Laravel 的事务这么写正确么?或者说我这么写的话能够起到我想要的作用么?有点懵 - -
<code> DB::beginTransaction();
$user->body_balance = floatval($user->body_balance) - $request->input('stake');
$user->body_transactions = floatval($user->body_transactions) + $request->input('stake');
$user->save();
if($user->body_balance id_user = $user->id;
$order->id_object = $object->id;
$order->body_price_buying = $object_latestPrice->body_price;
$order->body_stake = $request->input('stake');
$order->body_bonus = $object->body_profit * $request->input('stake');
$order->body_direction = $request->input('direction');
$order->body_time = $request->input('time');
$order->save();
$record = new Record;
$record->id_user = $user->id;
$record->id_order = $order->id;
$record->body_name = $request->input('direction') == 1? '買入看漲' : '買入看跌';
$record->body_direction = 0;
$record->body_stake = $order->body_stake;
$record->save();
$this->computeNetwork($user, $order);
if($order->body_time == 60) $this->computePrice($user, $order, $object);
}
DB::commit();</code>
没见过涉及金钱交易不开事务就执行的,请用事务解决此类问题。
更新一下:
有人回答先扣钱就行,答案是否定的,在MySQL中不用事务一定完成不了这个操作。
举个不用事务先扣钱的例子,
收到请求A,进行余额查询,余额足够,
这时候请求B闯入,也进行了余额查询,余额足够,
请求A开始更新余额,然后进行了其他操作,
请求B也开始更新余额,进行其他操作。
如此一样解决不了并发的问题。
事务加一,而且优先判断金额等重要条件
没看懂你代码具体的实现,但是我猜你可能取到的脏数据。
你可以试试如下方案
trans begin
sql:update xxx set 帐户余额 = 帐户余额 - 消费金额(扣费操作)
sql:select 帐户余额 from xxx (获取完成扣费后的余额)
if(帐户余额 else commit
20单并发,每单在判断余额的时候应该都是足够的,然后之后写表操作,第一次扣余额成功,接下来19单扣余额失败,但是你的代码中没有任何处理,就导致了创建了订单,但是没有扣余额的情况
解决方法楼上都说了,用事务提交,一开始先update余额字段,然后再做余下操作,这样能保证并发的时候在余额这里有一个锁,其它请求都要等到这个请求被commit或者rollback以后才能执行
首先,楼主最后贴的代码还是有问题的。
总的来说,这个,需要用到事务和锁,同时避免一些坑。
第一,检查mysql的事务级别,我们要在 可重复读的 级别下。
第二,确认线上数据库结构,确保读写都使用一个数据库连接(尤其是读写分离的情况下)。
第三,首先开启事务。
第四,开事务后,第一条就是用select for update查询出用户的余额(避免一致性非锁定读)。
第五,进行资金判断和扣减,注意php计算的话,使用bcmath来处理。
第六,所有资金操作都应该有日志记录,所有的数据异常或者代码错误都应该记录日志。
第七,业务操作后提交事务。
把账户余额扣费放在前面,目前的逻辑执行了,但在扣费的过程出错了而已,如金额字段不能小于0。放在前面扣费的话,可以判断是否执行成功,否则提示错误!
问题出在3,4,5这里,这种逻辑在出现类似并发的集中请求的时候就会出问题。正确逻辑是
3-update table set 余额 = 余额 - 金额 where user_id = ? & 余额 > 金额,检查本次修改所影响的行数,如果为0表示根本没更新,就是余额已经不足了
4-写订单
就没有5了
原始逻辑的问题就是3查询的时候余额确实是足够的,但是等到第5步扣除余额的时候就不一定了。
嗯,补充一下,有明说的没错,就算修改了逻辑涉及重要数据的地方也最好使用事务。
同上,涉及金钱或者类似的,一定要开启事务。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
How to fix mysql_native_password not loaded errors on MySQL 8.4
Dec 09, 2024 am 11:42 AM
One of the major changes introduced in MySQL 8.4 (the latest LTS release as of 2024) is that the "MySQL Native Password" plugin is no longer enabled by default. Further, MySQL 9.0 removes this plugin completely. This change affects PHP and other app
How To Set Up Visual Studio Code (VS Code) for PHP Development
Dec 20, 2024 am 11:31 AM
Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c
How do you parse and process HTML/XML in PHP?
Feb 07, 2025 am 11:57 AM
This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an
PHP Program to Count Vowels in a String
Feb 07, 2025 pm 12:12 PM
A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total
7 PHP Functions I Regret I Didn't Know Before
Nov 13, 2024 am 09:42 AM
If you are an experienced PHP developer, you might have the feeling that you’ve been there and done that already.You have developed a significant number of applications, debugged millions of lines of code, and tweaked a bunch of scripts to achieve op
Top 10 PHP CMS Platforms For Developers in 2024
Dec 05, 2024 am 10:29 AM
CMS stands for Content Management System. It is a software application or platform that enables users to create, manage, and modify digital content without requiring advanced technical knowledge. CMS allows users to easily create and organize content
How to Add Elements to the End of an Array in PHP
Feb 07, 2025 am 11:17 AM
Arrays are linear data structures used to process data in programming. Sometimes when we are processing arrays we need to add new elements to the existing array. In this article, we will discuss several ways to add elements to the end of an array in PHP, with code examples, output, and time and space complexity analysis for each method. Here are the different ways to add elements to an array: Use square brackets [] In PHP, the way to add elements to the end of an array is to use square brackets []. This syntax only works in cases where we want to add only a single element. The following is the syntax: $array[] = value; Example
