使用包含数据ID的隐藏html输入进行功能更新的最安全方法是什么?
<input type="text" name="request_id" value="<?php echo $param_request['idx']?>" style="display: none;">
表单验证已经包含在我的代码中,用于确保所有字段都是必需的。
但是如何防止某人更改隐藏字段(id)? 我需要在控制器中的更新功能中添加什么以提高安全性?
这是我在控制器中的功能:
public function update()
{
$this->load->library('form_validation');
$form_data = $this->input->post();
$idx = $this->input->post('request_id');
$form_request_type = $this->input->post('request_type');
$form_leave_start = $this->input->post('form-leave-start');
$form_leave_end = $this->input->post('form-leave-end');
$form_date_needed = $this->input->post('form-date-needed');
$form_amount_needed = $this->input->post('form-amount-needed');
$form_remarks = $this->input->post('redactor-textarea');
$form_refer = $this->input->post('refer');
$this->form_validation->set_data($form_data);
$this->form_validation->set_rules('refer[]', 'refer', 'required');
foreach ($form_data as $name=>$value) {
if($name!='refer'){
$this->form_validation->set_rules($name, $name, 'required');
}
}
//Checkboxes
$refer = json_encode($form_refer);
//Not common contents
$contents_info = json_encode(array(
'leave_start_date' => $form_leave_start,
'leave_end_date' => $form_leave_end,
'date_needed' => $form_date_needed,
'amount_needed' => $form_amount_needed,
'remarks' => $form_remarks
));
//Common contents
$common_info = array(
'requested_by_idx' => $this->session->userdata('member_index'),
'request_type' => $form_request_type,
'date_updated' => date("Y-m-d H:i:s A"),
'contents' => $contents_info,
'refer' => $refer,
'status' => 'PENDING'
);
$log = array(
'controller'=>'request',
'method'=>'update',
'item_idx'=>0,
'member_idx'=>$this->session->userdata('member_index'),
'member_category'=>$this->session->userdata('member_category')
);
$ret = $this->staffrequisition_model->updateItem($common_info, array('idx'=>$idx), $log);
echo json_encode(array('ret'=>($ret == true) ? 1 : 0));
}
此外,我还使用带有链接中发送的id的锚标记加载了更新视图:
<a href="<?php echo base_url();?>dashboard/staff/request/update_request_view/<?php echo $drafts['idx'];}?>" class="btn waves-effect waves-light btn-info update-button"><i class="fa fa-edit"></i> Update</a>
接收功能:
public function update_request_view($idx)
{
$data = new stdClass;
$data->param_menu = 'request';
$type = $this->staffrequisition_model->getRequestType($idx);
$typeLower = strtolower($string = str_replace(' ', '', $type));
$commonContents = $this->staffrequisition_model->selectItem(array('idx'=> $idx));
$uncommonContents = json_decode($commonContents->contents);
$data->param_request = array_merge((array) $commonContents, (array) $uncommonContents);
$data->param_request_type = $type;
$data->param_refer = json_decode($data->param_request['refer']);
$this->load->view('dashboard/staff/update_'.$typeLower.'_view', $data);
}