用户可以更改html代码以删除所需内容 [英] Users can change html code to delete what they want
问题描述
我有这个JavaScript可以从网站上删除某些图像:
I have this javascript to remove a certain image from the website:
$(function() {
$(document.body).on("click", ".deleteImg", function() {
var item_id = $(this).attr("id");
var parentImgBox = $(this).closest("start");
var dataString = 'id='+item_id;
$.ajax({
type: "POST",
url: "/ajax/removeitemajax.php", <--THIS FILE WILL REMOVE IMAGE FROM DATABASE
data: dataString,
success: function(data){
if (data == 0) {
alert('Error');
} else {
if(confirm("Are you sure?")){
parentImgBox.remove();
}
}
}
});
return false;
});
});
这就是我在file.php中使用的:
This is what I use in my file.php:
... PHP code reading through the database for images. Query varaible: $queries['blablabla']...
echo'
<start>
<div class="headPhotoGalleryIconBox">
<img src="'.$queries['name'].'"></img>
<div class="large-6 other_columns">
<a id="'.$queries['id'].'" class="deleteImg"><i class="step fi-page-delete size-36"></i></a>
</div>
</div>
</start>';
您可能已经看到,该脚本取决于图像的item_id.
As you may already see, this script depends on the item_id of the image.
我的问题是用户/访问者可以编辑网站的源代码以更改<a>的ID,并删除具有该ID的可选内容.
My problem is that users/visitors can edit the website's sourcecode to change the id of the <a> and remove an optional content with that id.
我该如何解决?
谢谢!
推荐答案
如果我正确理解了您的问题,则需要在实际删除图像之前先验证用户是否有权删除该图像.这必须在服务器端使用您当前使用的任何身份验证来完成.
If I'm understanding your question correctly, you need to verify that the user has permission to delete the image before you actually delete the image. This must be done on the server side, using whatever authentication you are currently using.
从不,从不,从不依赖用户输入的准确性来执行这样的操作.务必重新检查以确保用户在执行此操作之前具有执行此操作的权限.
Never, never, NEVER rely on the accuracy of user input to perform actions like this. ALWAYS recheck to make sure the user has permission to do something like this before doing it.
这篇关于用户可以更改html代码以删除所需内容的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
