There is a problem: When querying data through url parameters, the data is generally queried through id
For example, if you want to query the details of an order, then the id is the id of the order details table
"http://localhost/index/order/detail/id/3.html"
So can I change this ID to query other people’s order details?
When I make order details, do I need to determine whether it is an order from this customer? Is it troublesome to judge every time?
Or use the order number to query?
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
When an id is passed to the background, the database query does not only query the condition of id=id
It will also bring many conditions, such as the uid of the user's login, or the user account stored in the session
Of course you'd better make something to prevent SQL injection. If people access your SQL in the form of id=1";, your SQL will be very dangerous.
The problem of permissions should be judged by the backend. Logically speaking, the frontend should pass an order id to the server (you pass the url parameter here), and then the backend will look up the table and return the data to the frontend. Regarding the issue of permissions, the backend can first determine whether the user has the permission to call this interface after receiving the interface call information from the front end. If so (and the logical data is reasonable, etc.), the data will be returned. If not, it will directly return that there is no permission. Access is controlled in this way.
The real order is confusing. The request is not really the primary key field of the data table, so you have to change it yourself
Viewing order details requires at least two parameters, the order id and the current user id. The backend should first determine whether it has received these two parameters correctly, then find the corresponding order information based on the order ID, and then match the current user ID with the order user ID in the order information. If they are inconsistent, it will prompt that they have no access rights.
1. The same ID cannot be used as the basis for order query, such as using uuid
2. The order table contains the field of which customer the current order data is. Bring this condition when querying
The relationship between user UID and order ID is &&.
When checking the order, it should be:
1. First determine whether the user is logged in and obtain the session to determine;
2. Determine whether the user has permission to access the order details based on the user ID.