开发者

How to prevent URL variables tampering in PHP?

I am building a web app in CakePHP, authorized users can add, update, delete a record. In some controllers to add a record my URLs开发者_C百科 structure is like:

records/add/id_of_parent_record/secondvar:another_decision_dependent_value.

My concern is a user may tamper with these GET variables which would result in corrupting the whole record. I know i can use sessions for these vars, but I am looking for the best approach. Please share you knowledge and experience.


General rule of thumb is that URL variables (of any kind, so that includes everything in the URL) should only be used in selecting and displaying variables. This way, if the user screws up something, so what? They screwed up and you're not guaranteeing that support. They don't have easy ability to futz with backend data by pasting the wrong thing in (This is more or less the idea behind the RESTful GET).

If something needs to be modified, on the other hand, it should be done both with authentication (HTTP Authentication is considered more ideal) so that only users who have authority to modify can modify. It also is generally done through PUT/POST/DELETE request. In the PHP frameworks, POST would be the easiest/most common as PUT and DELETE take a good deal more effort for complete support in PHP.


Always use a POST request for this kind of stuff (Create, Update, Delete) , so it can't happen accidentally. But even if you use POST, do not trust user input.

Also have a look at Post/Redirect/Get.


In addition to the POST and Post/Redirect/Get advice.. In general:

Never ever trust any of the information you receive in a HTTP request (including GET parameters, POSTed data, Cookies and HTTP headers). Always ensure the user has permission to perform each action on the data objects in question and you always validate on the server side that the data is as sensible as you can, before accepting and processing it.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜