<a href="rate.php?winner=<?=$images[0]->image_id?>&loser=<?=$images[1]->image_id?>"></a>
这是我的主页。在上传到php文件之前,可以使用inspect元素更改参数,这是一个问题。
这是rate.php
<?php
include('mysql.php');
include('functions.php');
// If rating - update the database
if ($_GET['winner'] && $_GET['loser']) {
// Get the winner
$result = $conn->query("SELECT * FROM images WHERE image_id = ".$_GET['winner']." ");
$winner = $result->fetch_object();
// Get the loser
$result = $conn->query("SELECT * FROM images WHERE image_id = ".$_GET['loser']." ");
$loser = $result->fetch_object();
// Update the winner score
$winner_expected = expected($loser->score, $winner->score);
$winner_new_score = win($winner->score, $winner_expected);
//test print "Winner: ".$winner->score." - ".$winner_new_score." - ".$winner_expected."<br>";
$conn->query("UPDATE images SET score = ".$winner_new_score.", wins = wins+1 WHERE image_id = ".$_GET['winner']);
// Update the loser score
$loser_expected = expected($winner->score, $loser->score);
$loser_new_score = loss($loser->score, $loser_expected);
//test print "Loser: ".$loser->score." - ".$loser_new_score." - ".$loser_expected."<br>";
$conn->query("UPDATE images SET score = ".$loser_new_score.", losses = losses+1 WHERE image_id = ".$_GET['loser']);
// Insert battle
$conn->query("INSERT INTO battles SET winner = ".$_GET['winner'].", loser = ".$_GET['loser']." ");
// Back to the frontpage
header('location: /');
}
?>
我只想在将数据发送到php文件时修改参数
答案 0 :(得分:3)
您需要为代码添加一些额外的验证/验证。无论你是使用GET还是POST来传递数据,都是如此。
您可以为每个调用设置一个会话,用于定义允许用户传递的ID。它就像一个基本的CSRF保护:
可能如下所示:
在投票页面上:
<?php
// Start sessions (should always be in the top
session_start();
// Get the image id's some how. Let's use these as an example
// This could just as well be strings or what ever it is you're posting
$image1 = 1;
$image2 = 2;
// Generate a pseudo random token
$token = bin2hex(random_bytes(16));
// Store the image references in a session with the token as name
$_SESSION[$token] = [$image1, $image2];
?>
// HTML that sends the image references and the token (important)
在接收数据的页面上:
<?php
// Again, start sessions;
session_start();
// Check that all parameters are there
if (!isset($_POST['winner'], $_POST['loser'], $_POST['token'])) {
die('Invalid request');
}
$winner = $_POST['winner'];
$looser = $_POST['loser'];
$token = $_POST['token'];
// Check if the session is set. If not, then the call didn't come from your page
if (!$token || empty($_SESSION[$token])) {
die('We have a CSRF attack');
}
// Check if both image references exists in session. If not, then someone have change the values
if (!in_array($winner, $_SESSION[$token]) || !in_array($loser, $_SESSION[$token])) {
die('Invalid image references! We have a cheater!');
}
// Remove the token from the session so the user can't repeat the call
unset($_SESSION[$token]);
// Do your DB stuff using Prepared Statements.
这是一个未经测试的示例,因此可能无法直接使用,但它会向您显示可以使用的技术。
您目前对SQL Injections持开放态度,应该真正使用Prepared Statements而不是连接您的查询。特别是因为你根本没有逃避用户输入!
答案 1 :(得分:-2)
我建议您使用$ _POST而不是$ _GET,并在rate.php中为您的图片ID添加一些验证。在你的html中的<a>和click的匿名函数中添加一个jQuery单击函数,创建winner_image_id和loser_image_id变量并使用AJAX将它们发送到你的php。