在URL中加密$ _GET变量,因此用户无法访问其他配置文件 [英] Encrypting $_GET variable in URL so user cannot access other profiles
问题描述
我希望能够向客户发送一个链接到他们的个人资料。该链接看起来像这样;
I want to be able to email my clients a link to their profile. The link looks something like this;
https://www.example.com/admin-area/files/edit_tenant.php?tenant_id=37
我不想让用户能够将37更改为38并编辑另一个人的个人资料。
I don't want the user to be able to change the '37' to '38' and edit another person's profile.
我想我需要加密 37'在某种程度上。我已经在线完成了研究工作,但是考虑到我已经开始考虑盐等等。
I'm thinking I need to encrypt the '37' in some way. I've done my research online but think I might be over thinking it as I've started coming across 'salts', etc.
提前感谢
推荐答案
定义您的用户表中的令牌字段。当用户在系统中注册时会产生一个随机字符串(可以说40个字符)并插入该令牌以及其他信息。所以当U想查找一个用户时,用他的令牌寻找他/她,而不是id。以这种方式,没有人可以猜到其他令牌!
Define a "token" field in your users table. When a user signs up in your system produce a random string (lets say 40 characters) and insert this token as well as other information. So when U want to look up for a user , Look for him/her with his token, instead of id. In this way no one can guess others token!
为了生成随机字符串,您可以使用以下功能:
In order to generate random string you can use the function below:
function generateRandomString($length = 40) {
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$charactersLength = strlen($characters);
$randomString = '';
for ($i = 0; $i < $length; $i++) {
$randomString .= $characters[random_int(0, $charactersLength - 1)];
}
return $randomString;
}
注意: random_int()
是一个PHP 7功能,但是有一个 polyfill可用于PHP 5 。
Note: random_int()
is a PHP 7 function, but there is a polyfill available for PHP 5.
这篇关于在URL中加密$ _GET变量,因此用户无法访问其他配置文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!