为每种类型的用户提供不同内容的网站(关于安全性) [英] website with different content for each type of user (about security)
问题描述
所以我知道一些 html、css、js、php 和 mysql,但我对安全问题的了解非常有限对于我到现在为止正在构建的网站,我只是使用了 css display:none (由 js 触发)来根据用户的类型(客户、员工、老板)向用户显示或不显示某些内容.我明白,如果你不想让别人看到他应该看到的东西的风险不是(检查页面或其他方式)您根本不应该发送该信息(来自服务器端 = php).我不确定我的想法是否正确.
如果我有 3 类用户 1)客户 2)员工 3)老板我想显示不同的内容(基本上相同的内容,但更多的信息给员工,甚至更多给老板)给他们每个人对网站中存在的 5 个页面有效吗?为每个页面有 3 个不同的 php 文件(每个类型的用户一个),在登录过程中为每个用户存储在 $_SESSION['authority'] 不同的值,并使用该值来决定他可以访问哪个页面?
例如起始页面是 index.php 并且当用户根据他的权限级别(从数据库检索)登录时,他将使用 header("Location: name_of_page.php") 重定向;如果他是客户,则为 index.php,如果他是雇员,则为 index_employee.php和 index_boss.php 如果他是老板.并且在这些页面中的每一个中使用类似以下内容来防止具有不同权限的用户进入.
index_boss.php
页面内容<?php}别的{if( $_SESSION['权限'] == 1 ){header("位置:index_employee.php");}别的{header("位置:index.php");}}?>这是解决这个问题的正确方法吗?有没有办法让所有用户只使用 1 个 php 文件,然后用其他一些安全的方式隐藏或显示一些内容?
您的实现对于低级别站点来说似乎是正确的.但是,随着规模的扩大,可能很难跟踪网站的每个部分或子部分的这些内容.
我建议使用类方法(为每个用户创建一个不同的类并使用对象),或者甚至使用一个框架,该框架通常在其自身结构中包含类的使用,以简化您的实现和编码过程.
您可能想要实现的框架包括 CodeIgniter 或 Laravel(无特定顺序)——请记住,目前,如果检查每次重新加载,您的代码就会执行这些操作——正确实现的类或框架在大多数情况下会自动执行知道该怎么做可以稍微加快反应时间,但更重要的是,提供更清晰的代码结构和良好的开发基础.
So i know some html, css, js, php and mysql but my knowledge is very limited regarding security issues and for a website i'm building till now i just used css display:none (triggered with js) to show or not to show some content to the user depending on his type (client, employee, boss). I've understood that if you don't want to have the risk of someone seeing something he should not (inspect page or some other way) you should not send that information(from server-side = php) at all. I'm not sure if the way i have in mind is the right one.
If i have 3 types of users 1)clients 2)employees 3)Boss and i want to show different content (basically the same content but a bit more information to employees and even more to boss) to each of them for 5 of the pages that exist in the website would it be effective to have 3 different php files(one for each type of user) for each page , store at $_SESSION['authority'] different values for each user during the login process and use that value to decide which page he can access?
For example the starting page is index.php and when the user logs in depending on his authority level (retrieved from database) he will be redirected by using header("Location: name_of_page.php"); to index.php if he is a client, to index_employee.php if he is an employee and to index_boss.php if he is the boss. And in each of these pages use something like the following to prevent users with different authority to enter.
index_boss.php
<?php
session_start();
if($_SESSION['authority'] == 2 && $_SESSION['loggedin'] == true) {
?>
page content
<?php
}
else
{
if( $_SESSION['authority'] == 1 )
{
header("Location: index_employee.php");
}
else
{
header("Location: index.php");
}
}
?>
Is this the correct way to tackle this issue? Are there ways to just use 1 php file for all users and hide or show some of the content with some other secure way?
Your implementation does seem correct for a low level site. However, as you scale it might be difficult to keep track of these for every single part or sub-part of your website.
I would suggest either using a class approach (create a different class for each user and use objects) or even use a framework which would usually encompass usage of classes within its own structure to ease the process of implementation and coding from your side.
Frameworks you might like to implement include CodeIgniter or Laravel (in no particular order) - bear in mind that at the moment, your code is doing these if checks every single reload - a correctly implemented class or framework would in most cases automatically know what to do giving a slightly quicker reaction time but more importantly, a clearer code structure and a good base to develop on.
这篇关于为每种类型的用户提供不同内容的网站(关于安全性)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
