jquery - Ajax - security breach? - PHP -
i build system in php, have page name x.php , in page create variable name $accountid , acocunt id sesstion.
now have others varibles in php @ same page calls functions in other page called functions.php, , deliver accountid, function return info account (for example name of user..)
is security breach?
i mean user can call in ajax function other accountid , can info other account?
here code example:
<?php include "includs/config.php"; if(!isset($_session[get("session_name")])) { header("location: index.php"); } $accountid = getaccountid($_session[get("session_name")]); $e = getecategorys($accountid); ?> function gete($accountid){ $query = mysql_query("select * `x` `accountid` = $accountid"); while($result = mysql_fetch_assoc($query)){ // info account.. } }
yes right. user can information passing accountid function. solution: can check session variable , passed accountid. can put condition, if session variable (accountid) matched passed accountid function retrieve data otherwise gives error.
second solution achieve thing class base, setting private member variable of accountid.
hope helps.
Comments
Post a Comment