1. 首頁
  2. 問答
  3. 目錄應用安全

目錄應用安全

2011-11-23 62 views
0

所以,我有兩種類型的用戶可以登錄或註冊:商家或買家。目錄應用安全

當我作爲買家登錄時,使用:action="check_buyer.php",它將我重定向到我的網站上的login/buyer/。但是,現在,一旦登錄,我可以將網址從login/buyer更改爲login/merchant,它可以正常工作。我如何防止這種情況?正如你可以看到我正在使用會話...

如何在PHP中執行一個$_POST['userPermission'];的檢查,它將作爲INT(1)存儲在數據庫中並在我的會話中調用?

<?php 
session_start(); #recall session from index.php where user logged include() 

require_once('../inc/db/dbc.php'); 
$connect = mysql_connect($h, $u, $p) or die ("Can't Connect to Database."); 
mysql_select_db($db); 

$LoginUserName = $_POST['userName']; 
$LoginPassword = mysql_real_escape_string($_POST['userPass']); 
//connect to the database here 
$LoginUserName = mysql_real_escape_string($LoginUserName); 
$query = "SELECT uID, uUPass, dynamSalt 
     FROM User 
     WHERE uUName = '$LoginUserName';"; 
$result = mysql_query($query); 
if(mysql_num_rows($result) < 1) //no such USER exists 
{ 
    echo "Invalid Username and/or Password"; 
} 
$ifUserExists = mysql_fetch_array($result, MYSQL_ASSOC); 

$dynamSalt = $ifUserExists['dynamSalt']; #get value of dynamSalt in query above 
$SaltyPass = hash('sha512',$dynamSalt.$LoginPassword); #recreate originally created dynamic, unique pass 

if($SaltyPass != $ifUserExists['uUPass']) # incorrect PASS 
{ 
    echo "Invalid Username and/or Password"; 
} 

else { 
validateUser(); 
} 
// If User *has not* logged in yet, keep on /login 
if(!isLoggedIn()) 
{ 
    header('Location: index.php'); 
    die(); 
} 

function validateUser() 
{ 
    session_regenerate_id(); 
    $_SESSION['valid'] = 1; 
    $_SESSION['uID'] = $userid; 
} 

function isLoggedIn() 
{ 
    if(isset($_SESSION['valid']) && $_SESSION['valid']) 
     header('Location: buyer/'); # return true if sessions are made and login creds are valid 
    echo "Invalid Username and/or Password"; 
    return false; 
} 
?>

來源

2011-11-23 Walley

回答

1

您必須保存用戶的類型,當登錄到會話,並在頁眉檢查類型是否正確,或死頁/重定向/顯示一個消息......

例子:

1.- Retrive $從表例如,從「用戶類型」字段類型

$query = "SELECT uID, uUPass, dynamSalt,userType FROM User WHERE uUName = '$LoginUserName';";

2:添加到會話登錄類型值時

function validateUser() { 
    session_regenerate_id(); 
    $_SESSION['valid'] = 1; 
    $_SESSION['uID'] = $userid; 
    $_SESSION['type'] = $userType; // 1 for buyer - 2 for merchant 
}

3.-有限的用戶每一頁上使用頭部代碼來獲得用戶是否爲有效頁

示例僅供買家:

session_start(); 
if($_SESSION['type']!=1){ die("You are not a buyer. Access denied"} 

// The rest of your page here

示例頁面只對於商家:

session_start(); 
if($_SESSION['type']!=2){ die("You are not a merchant. Access denied"} 

// The rest of your page here

來源

2011-11-23 17:00:01 Dubas

+0

我認爲userType是tinyint(0或1)是最好的選擇 –

+0

感謝你們倆!擊中頭部! – Walley

相關問題

 相關問題