我有一个管理页面，列出了一系列的记录，每个记录旁边都有一个复选框，将其设置为活动状态。每个复选框上有一个值，该值是依赖于在数据库中的记录的ID。如果有人使用萤火它们可以在复选框的值很容易地改变，以由此不同数量实现错误的记录在数据库中。

我并不十分担心这种情况的发生，因为它只是一个管理页面，只创建了一个用户，我敢肯定，他不知道萤火虫什么..但只是好奇，柜面我碰到这个问题更面向公众的页面上的未来。

这里的code我目前只是让你可以得到我在做什么的想法。

的HTML + PHP ..

 ＆LT;输入类型=复选框级=主动NAME =活动＆LT;？PHP的echo $ ID;＆gt;中ID =活动＆LT;？PHP的echo $ ID;＆gt;中？＆LT; PHP的，如果（$活跃== 1）：＆GT;检查=检查＆LT; PHP ENDIF;？ ？＆GT;值=＆LT; PHP的echo $ ID;＆gt;中＆GT;
 

jQuery的AJAX ..

  $（input.active）。点击（函数（）{

VAR装载机= $（本）preV（）preV（）。

$（装载机）的CSS（知名度，可见）;
//存储从表单复选框中的值，然后通过发送下面的AJAX
VAR check_active = $（本）。是（：选中）？ 1：0;
VAR check_id = $（本）.attr（'值'）;

执行console.log（check_active）;
执行console.log（check_id）;

    $阿贾克斯（{
        键入：POST，
        网址：active.php
        数据：{ID：check_id，活跃：check_active}，
        成功：函数（）{
            $（装载机）的CSS（知名度，隐藏）;

        }
    }）;
返回true;
}）;
 

这是active.php ..

 ＆LT; PHP

包括（dbinfo.php）;
的mysql_connect（$服务器，$用户名，密码$）
@mysql_select_db（$数据库）或死亡（无法选择数据库）;

$积极= mysql_real_escape_string（$ _ POST ['主动']）;
$ ID = mysql_real_escape_string（$ _ POST ['身份证']）;

$的addEntry =更新项设置活动='$活跃WHERE ID ='的$ id';
的mysql_query（$的addEntry）或死亡（mysql_error（））;


则mysql_close（）;
？＆GT;
 

解决方案

您应该设置一个 $ _ SESSION 值与它自己的账户信息，因此，如果他们试图访问一个账户，你可以捕捉它，并将它标志适当地是不存在的。只是他们的帐户的ID号可能就足够了。你一定要的不可以可以把这个在隐藏字段或任何地方，用户可以改变它。

I have an admin page that lists a bunch of records and each record has a checkbox next to it to set it to an "active" status. Each checkbox has a value on it that is tied to the ID of the record in the database. If somebody used FireBug they could easily change the checkbox's value to a different number thus effecting the wrong record in the database.

I'm not extremely worried about this happening because its just an admin page that will just have one user and I'm sure he doesn't know anything about FireBug.. but was just curious incase I run into this problem in the future on a more public-facing page.

Here's the code I currently have just so you can get an idea of what I'm doing.

The HTML + PHP..

<input type="checkbox" class="active" name="active<?php echo $id; ?>" id="active<?php echo $id; ?>" <?php if ($active == 1): ?>checked="checked"<?php endif; ?> value="<?php echo $id; ?>">

jQuery ajax..

$("input.active").click(function() {

var loader = $(this).prev().prev();

$(loader).css("visibility","visible");
// store the values from the form checkbox box, then send via ajax below
var check_active = $(this).is(':checked') ? 1 : 0;
var check_id = $(this).attr('value');

console.log(check_active);
console.log(check_id);

    $.ajax({
        type: "POST",
        url: "active.php",
        data: {id: check_id, active: check_active},
        success: function(){
            $(loader).css("visibility","hidden");

        }
    });
return true;
});

Here is active.php..

<?php

include("dbinfo.php");
mysql_connect($server,$username,$password);
@mysql_select_db($database) or die( "Unable to select database"); 

$active = mysql_real_escape_string($_POST['active']);
$id = mysql_real_escape_string($_POST['id']);

$addEntry = "UPDATE entries SET active = '$active' WHERE id = '$id'";
mysql_query($addEntry) or die(mysql_error());


mysql_close();
?>

You should be setting a $_SESSION value with their account information in it so if they try to access an account that isn't there's you can catch it and flag it appropriately. Just the ID number of their account probably would be sufficient. You definitely should not be putting this in hidden fields or anywhere where the user can change it.