A
A
AR2017-10-08 12:06:02
Yii
AR, 2017-10-08 12:06:02

How to protect yourself from post request spoofing?

Good afternoon.

A simple example: there are comments under the post, each user can only delete their own comments. Deletion happens like this: an ajax request is made to the controller action, the request contains the comment id and other data. How it is possible to be protected from substitution of id of the comment in request?

Thanks in advance.

Answer the question

In order to leave comments, you need to log in

6 answer(s)
R
Rsa97, 2017-10-08
@Rsa97

All data received from the client must be checked on the server. This includes both checking the correctness of the data itself and checking the user's rights to operate with this data.

A
Andrey Burov, 2017-10-08
@BuriK666

on the server side, check that the comment belongs to the user who sent the request.

A
Alexey Sklyarov, 2017-10-08
@0example

Check on the server, pass the user ID and comment ID, if they are linked in the database, then delete them, otherwise - an error.

X
xmoonlight, 2017-10-08
@xmoonlight

What for?! Just check the permissions of the current user (server session) to delete the comment with the given ID .

A
AR, 2017-10-08
@amio

As a result, the best solution is not to transfer any service data in clear text, but to hash them.

A
Alexander Urich, 2017-10-13
@Urichalex

The user ID is already in Yii::$app->getUser()->getId();
Pass the comment id and get the comment by specifying the user id in the selection, or drag this comment from the database and compare the field responsible for the comment user id with the current user id. If different - throw new ForbiddenHttpException();

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question