在URL中加密$ _GET变量，因此用户无法访问其他配置文件 [英] Encrypting $_GET variable in URL so user cannot access other profiles

问题描述

我希望能够向客户发送一个链接到他们的个人资料。该链接看起来像这样;

I want to be able to email my clients a link to their profile. The link looks something like this;

https://www.example.com/admin-area/files/edit_tenant.php?tenant_id=37

我不想让用户能够将37更改为38并编辑另一个人的个人资料。

I don't want the user to be able to change the '37' to '38' and edit another person's profile.

我想我需要加密 37'在某种程度上。我已经在线完成了研究工作，但是考虑到我已经开始考虑盐等等。

I'm thinking I need to encrypt the '37' in some way. I've done my research online but think I might be over thinking it as I've started coming across 'salts', etc.

提前感谢

推荐答案

定义您的用户表中的令牌字段。当用户在系统中注册时会产生一个随机字符串（可以说40个字符）并插入该令牌以及其他信息。所以当U想查找一个用户时，用他的令牌寻找他/她，而不是id。以这种方式，没有人可以猜到其他令牌！

Define a "token" field in your users table. When a user signs up in your system produce a random string (lets say 40 characters) and insert this token as well as other information. So when U want to look up for a user , Look for him/her with his token, instead of id. In this way no one can guess others token!

为了生成随机字符串，您可以使用以下功能：

In order to generate random string you can use the function below:

function generateRandomString($length = 40) {
    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[random_int(0, $charactersLength - 1)];
    }
    return $randomString;
}

注意： random_int（）是一个PHP 7功能，但是有一个 polyfill可用于PHP 5 。

Note: random_int() is a PHP 7 function, but there is a polyfill available for PHP 5.

这篇关于在URL中加密$ _GET变量，因此用户无法访问其他配置文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！