How PHP hides URL address bar parameters

Source: Internet
Author: User
I use PHP to make a page, if you click on a user to view the user information, the URL bar appears: http://www.abc.com/index.php?user_id=39, modify the number to see other users. That's not safe, is it?

In what way can you avoid this problem, so that only information such as "http://www.abc.com/" or "http://www.abc.com/index.php" appears on the URL?
Consult the specific practice!


Reply to discussion (solution)

Modify the numbers to see additional users. That's not safe, is it?
This security issue does not need to hide the URL parameters to resolve, with $_session to determine whether the current user is the value of the parameter user_id, if so, can be viewed, otherwise cannot be viewed. And looking at other users ' information should be allowed, you can filter out some privacy information in the view

Can be passed through a cookie or session

Can you write a detailed code, please, thank you

Modify the numbers to see additional users. That's not safe, is it?
This security issue does not need to hide the URL parameters to resolve, with $_session to determine whether the current user is the value of the parameter user_id, if so, can be viewed, otherwise cannot be viewed. And looking at other users ' information should be allowed, you can filter out some privacy information in the view





How to write can you attach the code I really do not understand

This is a privilege control problem.
Http://my.csdn.net/xuzuning and http://my.csdn.net/, for example, are different.

The simplest thing is to use the session to compare
As for the code to write a bug or not to run and ask

First of all, you have to store the UID in the SESSION after the user logs in, for example, $_session[' uid ' in login.php = XXX//xxx the SessionID (same as the UID value of the user table)// For example in userinfo.php if ($_session[' uid '] = = intval ($_get[' user_id ')) {//Display the current logged-in user information}else{//can display information of other users (with $_session[' UID '] queries the UID of the user table and displays the information as needed)//can also give the error message directly, telling him that he cannot view the user's information}

First of all, you have to store the UID in the SESSION after the user logs in, for example, $_session[' uid ' in login.php = XXX//xxx the SessionID (same as the UID value of the user table)// For example in userinfo.php if ($_session[' uid '] = = intval ($_get[' user_id ')) {//Display the current logged-in user information}else{//can display information of other users (with $_session[' UID '] queries the UID of the user table and displays the information as needed)//can also give the error message directly, telling him that he cannot view the user's information}




Sorry or do not understand, $_session[' uid '] = XXX is placed on the landing of the HTML page or on the PHP page, if ($_session[' uid '] = = intval ($_get[' user_id ')) {exactly where? , placed on the HTML page after landing, or on the landing after the judgment of the PHP page?

$_session[' uid ' = xxx is placed in the PHP script, in the script: After completing the login information check, set $_session[' uid '] =xxx, the XXX should be based on the user Login form field to remove the UID from the Users table.

if ($_session[' uid '] = = intval ($_get[' user_id ')) should be placed in the PHP script after landing, if GET came from user_id and $_session[' uid ') consistent, The user information from the User Information table is assigned to $userinfo, and then introduced HTML page, HTML page embedded PHP code, such as user name:
If the argument is not the same as $_session[' uid ', then the user information to be viewed is not the currently logged in user, if you want to display the user's information, still from the user_id based on get information from the User Information table, you can selectively display some of the user information, Do not show some privacy information, if you do not want to display the current user other than the user's information, direct header (location:xxxxx), jump to the error page, prompted not to view his information

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.