Reply to discussion (solution)
Modify the numbers to see additional users. That's not safe, is it?
This security issue does not need to hide the URL parameters to resolve, with $_session to determine whether the current user is the value of the parameter user_id, if so, can be viewed, otherwise cannot be viewed. And looking at other users ' information should be allowed, you can filter out some privacy information in the view
Can be passed through a cookie or session
Can you write a detailed code, please, thank you
Modify the numbers to see additional users. That's not safe, is it?
This security issue does not need to hide the URL parameters to resolve, with $_session to determine whether the current user is the value of the parameter user_id, if so, can be viewed, otherwise cannot be viewed. And looking at other users ' information should be allowed, you can filter out some privacy information in the view
This is a privilege control problem.
Http://my.csdn.net/xuzuning and http://my.csdn.net/, for example, are different.
The simplest thing is to use the session to compare
As for the code to write a bug or not to run and ask
First of all, you have to store the UID in the SESSION after the user logs in, for example, $_session[' uid ' in login.php = XXX//xxx the SessionID (same as the UID value of the user table)// For example in userinfo.php if ($_session[' uid '] = = intval ($_get[' user_id ')) {//Display the current logged-in user information}else{//can display information of other users (with $_session[' UID '] queries the UID of the user table and displays the information as needed)//can also give the error message directly, telling him that he cannot view the user's information}First of all, you have to store the UID in the SESSION after the user logs in, for example, $_session[' uid ' in login.php = XXX//xxx the SessionID (same as the UID value of the user table)// For example in userinfo.php if ($_session[' uid '] = = intval ($_get[' user_id ')) {//Display the current logged-in user information}else{//can display information of other users (with $_session[' UID '] queries the UID of the user table and displays the information as needed)//can also give the error message directly, telling him that he cannot view the user's information}$_session[' uid ' = xxx is placed in the PHP script, in the script: After completing the login information check, set $_session[' uid '] =xxx, the XXX should be based on the user Login form field to remove the UID from the Users table.
if ($_session[' uid '] = = intval ($_get[' user_id ')) should be placed in the PHP script after landing, if GET came from user_id and $_session[' uid ') consistent, The user information from the User Information table is assigned to $userinfo, and then introduced HTML page, HTML page embedded PHP code, such as user name:
If the argument is not the same as $_session[' uid ', then the user information to be viewed is not the currently logged in user, if you want to display the user's information, still from the user_id based on get information from the User Information table, you can selectively display some of the user information, Do not show some privacy information, if you do not want to display the current user other than the user's information, direct header (location:xxxxx), jump to the error page, prompted not to view his information
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
