Security issues:
Whether there is permission to curd, because the parameters in the address bar, can be modified, (or parameters in the HTML page, you can use Firebug to modify the source code), so before curd to check whether the operator has this record, For example: According to the store ID and the parameters passed to query whether this record belongs to this operator, if not belong to the prompt (illegal operation, has been recorded!) To achieve the purpose of the warning)
For example:
/* * Check if there is permission to curd*/publicfunction Check_rbac ($theme _id) { $model=M (); $adm _session = es_session::get (MD5(conf ("Bi_auth_key")), 1); $location _id=$adm _session[' supplier_locations ']; $map=array(' id ' = =$theme _id, ' location_id ' = =$location _id) ; $result=$model->where ($map)->getfield (' id '); if (empty($result)) { $this->error (' Illegal operation, has been recorded! '); } }
The above on the introduction of a loophole is not a terrible, shameful! , including the aspects of the content, want to be interested in PHP tutorial friends helpful.