jquery - Wordpress data attribute security right value -
i have client side html form send ajax server data. problem can change input value (right click , "inspect element" chrome) , data server side can wrong.
example:
1. html form
2. send data server ajax
3. php data client side
<form> <input type="hidden" name="user_id" value="<?php echo $user_id; ?>"> <input id="send" type="submit" value="send"> </form> $('#send').on('click', function(){ var user_id = jquery('input[name="user_id"]').val(); jquery.ajax({ type: 'post', url: 'wp-admin/admin-ajax.php', data:{ 'action':'my_form', 'user_id': user_id, }, success:function(data){ console.log(data); } }); }); function my_form(){ $user_id = $_request['user_id']; } anybody can change hidden "user_id" field , set value 123 or 4856 example. data in $user_id server side can wrong. can sure data client side right ?
p.s: sorry english
if logged in user id don't trust on client side values instead use following in php code
$current_user = wp_get_current_user(); $userid = $current_user->id; https://codex.wordpress.org/function_reference/wp_get_current_user
Comments
Post a Comment