0
I am making a system and there is a part that will mess with bank bill. For security/privacy one user can not see another’s billet. I do a check every time he visits this page to see if it has anything to do with that billet 'ID'.
Thinking about it I was going to do by GET but it would be bad because I could change the ID and access the others. Then I did by AJAX but it’s not working. I want to pass the ID, load the page and show the billet. TO using BOLETOPHP, a project already ready.
My Requisicao AJAX
$(document).on('click', '#getBoleto', function(e) {
e.preventDefault();
var uid = $(this).data('id');
var href = $(this).attr('href');
$.ajax({
url: 'gerarBoleto.php',
type: 'POST',
data: {
id: uid
},
dataType: 'html'
}).done(function() {
window.open(href, '_blank');
});
});
PHP:
$sqlQuery = $pdo->prepare("SELECT tipe, banco, dv_agencia, agencia, dv_conta, conta, carteira, numeroBoleto FROM tbl_contaBanco WHERE id_Boleto = ?");
$sqlQuery->bindValue(1, $id);
$sqlQuery->execute();
$row = $sqlQuery->fetch(PDO::FETCH_ASSOC); // Ai eu faço os outros cálculos etc... e quero mostra o boleto
ero shows the boleto
How do I show the billet at the end of loading?? Where should you be wrong?
Your ajax returns a URL pointing to the directory where the boleto is or how it returns this boleto?
– Don't Panic
When the user authenticates, I would store this information for example in a session and rescue it in PHP. I would not let it come from the frontend, because forging a connection of this passing another ID is simple.
– Bruno Rigolon
Using AJAX will not make it safer, you can still "access others", simply by using
curl -X POST -d "id=1000" https://seusite.com/gerarBoleto.php, ready you will get whatever you are withidequal to1000. You can even simply view the code the source code (and/or network traffic) and replicate by changing the value of the POST.– Inkeliz