There are loopholes and no act is terrible, shameful! , the vulnerability as
Security issues:
Whether there is permission to curd, because the parameters in the address bar, can be modified, (or parameters in the HTML page, you can use Firebug to modify the source code), so before curd to check whether the operator has this record, For example: According to the store ID and the parameters passed to query whether this record belongs to this operator, if not belong to the prompt (illegal operation, has been recorded!) To achieve the purpose of the warning)
For example:
/* * Verify that you have permission to curd* /publicfunction Check_rbac ($theme _id ) { $model=M (); $adm _session = es_session::get (MD5(conf ("Bi_auth_key")), 1); $location _id=$adm _session[' supplier_locations ']; $map=array(' id ' = =$theme _id, ' location_id ' = =$location _id) ; $result=$model->where ($map)->getfield (' id '); if (empty($result)) { $this->error (' Illegal operation, has been recorded! '); } }
http://www.bkjia.com/PHPjc/1080769.html www.bkjia.com true http://www.bkjia.com/PHPjc/1080769.html techarticle there are loopholes and no act is terrible, shameful! , the vulnerability as a security issue: whether there is permission to curd, because the parameters in the address bar, can be modified, (or parameters in the HTML page, can ... )