使用安全性在PHP中维护用户会话

时间:2021-08-05 16:50:52

I want to know how developers to maintain sessions between different php files professionally, as the user navigates through the website.

我想知道开发人员如何专业地维护不同php文件之间的会话,因为用户浏览网站。

I have seen all tutorials, but I think they are not safe.

我已经看过所有教程,但我认为它们并不安全。

I have just made a login php file and created sessions associated with userid, username within the database and if remember me is checked, it will create a cookie.

我刚刚创建了一个登录php文件并创建了与userid,数据库中的用户名相关联的会话,如果记得我已经选中,它将创建一个cookie。

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);  
$rememberMe = (int)$_POST['rememberMe'];


$row = mysql_fetch_assoc(mysql_query("SELECT id,usr FROM members WHERE usr='{$username}' AND pass='".md5($password)."'"));

if($row['usr'])
{
  $_SESSION['usr']=$row['usr'];
  $_SESSION['id']=$row['id'];
  $_SESSION['rememberMe']=$_POST['rememberMe'];

  if($rememberMe=="on")
   setcookie('zsCookie',$username, time()+7200);


}

Now lets say, I make a profile php. How do I get the users session? I want to know the professional way how developers do this on sites like facebook. After getting this session, how may I use it to retrieve values from my database with full security.

现在让我们说,我制作个人资料php。如何获得用户会话?我想知道开发人员在Facebook这样的网站上如何做到这一点的专业方式。获得此会话后,我如何使用它以完全安全性从我的数据库中检索值。

Also is my authenticating code safe from sql injection?

也是我的sql注入安全的验证代码?

3 个解决方案

#1


1  

You use session_start() and go on with your life.

你使用session_start()继续你的生活。

Your particular query is safe, but realize that when you run a string through md5, any SQL escaping you did on the original string is destroyed - md5's output character set does not include sql metacharacters, so if a user's password DOES contain any of the metacharacters, you've now hashed not only their password, but any escape characters that were added in. You will have to do this escaping EVERYWHERE you do password operations, otherwise you'll end up with one spot where a particular user's PW won't work because they happen to have an SQL metachar in the pw.

您的特定查询是安全的,但是要意识到当您通过md5运行字符串时,您在原始字符串上执行的任何SQL转义都会被销毁 - md5的输出字符集不包含sql元字符,因此如果用户的密码包含任何元字符,你现在已经哈希过了不仅是他们的密码,还有任何添加的转义字符。你必须这样做,无论你做什么密码操作,否则你最终会得到一个特定用户的PW不会出现的地方因为他们碰巧在pw中有一个SQL元模型。

#2


1  

The way you usually do that is using SESSIONS.

通常这样做的方法是使用SESSIONS。

You can do a:

你可以这样做:

session_start();

at the beginning of your script and then use:

在脚本的开头,然后使用:

$_SESSION['userid'] = $myuserid;

Then, when a page loads back, start_session() again and look into $_SESSION to see if your userid is there. If it is there, load the user data from the database using that user id.

然后,当页面加载时,再次start_session()并查看$ _SESSION以查看您的用户ID是否存在。如果存在,请使用该用户ID从数据库加载用户数据。

For example:

'SELECT * FROM users_table WHERE id = '.$_SESSION['userid'];

Note that there many more considerations regarding security that you should implement, lookup the session section in php.net for more info:

请注意,您应该实现更多有关安全性的注意事项,请在php.net中查找会话部分以获取更多信息:

http://www.php.net/sessions/

Good luck

#3


1  

your query is safe from SQL-injection, though the mysql_real_escape_string call on the $_POST['password'] is unnecessary as when run through md5() the output will only contain alphanumeric characters and cannot contain SQL commands.

虽然对$ _POST ['password']的mysql_real_escape_string调用是不必要的,但是你的查询对于SQL注入是安全的,因为当运行md5()时,输出将只包含字母数字字符并且不能包含SQL命令。

As for sessions, that is another matter. Many PHP developers make use of PHP's default sessions through use of functions like session_start() being called on each page that needs to support sessions, and storing information that needs to be on each page in the $_SESSION superglobal. Check out the PHP documentation for sessions over here: http://us3.php.net/manual/en/book.session.php

至于会议,这是另一回事。许多PHP开发人员通过使用在需要支持会话的每个页面上调用session_start()等函数来使用PHP的默认会话,并在$ _SESSION超全局中存储需要在每个页面上的信息。查看以下会话的PHP文档:http://us3.php.net/manual/en/book.session.php

With that being said, a custom session implementation can achieve greater security and efficiency, but that takes a good deal more work.

话虽如此,自定义会话实现可以实现更高的安全性和效率,但这需要更多的工作。

#1


1  

You use session_start() and go on with your life.

你使用session_start()继续你的生活。

Your particular query is safe, but realize that when you run a string through md5, any SQL escaping you did on the original string is destroyed - md5's output character set does not include sql metacharacters, so if a user's password DOES contain any of the metacharacters, you've now hashed not only their password, but any escape characters that were added in. You will have to do this escaping EVERYWHERE you do password operations, otherwise you'll end up with one spot where a particular user's PW won't work because they happen to have an SQL metachar in the pw.

您的特定查询是安全的,但是要意识到当您通过md5运行字符串时,您在原始字符串上执行的任何SQL转义都会被销毁 - md5的输出字符集不包含sql元字符,因此如果用户的密码包含任何元字符,你现在已经哈希过了不仅是他们的密码,还有任何添加的转义字符。你必须这样做,无论你做什么密码操作,否则你最终会得到一个特定用户的PW不会出现的地方因为他们碰巧在pw中有一个SQL元模型。

#2


1  

The way you usually do that is using SESSIONS.

通常这样做的方法是使用SESSIONS。

You can do a:

你可以这样做:

session_start();

at the beginning of your script and then use:

在脚本的开头,然后使用:

$_SESSION['userid'] = $myuserid;

Then, when a page loads back, start_session() again and look into $_SESSION to see if your userid is there. If it is there, load the user data from the database using that user id.

然后,当页面加载时,再次start_session()并查看$ _SESSION以查看您的用户ID是否存在。如果存在,请使用该用户ID从数据库加载用户数据。

For example:

'SELECT * FROM users_table WHERE id = '.$_SESSION['userid'];

Note that there many more considerations regarding security that you should implement, lookup the session section in php.net for more info:

请注意,您应该实现更多有关安全性的注意事项,请在php.net中查找会话部分以获取更多信息:

http://www.php.net/sessions/

Good luck

#3


1  

your query is safe from SQL-injection, though the mysql_real_escape_string call on the $_POST['password'] is unnecessary as when run through md5() the output will only contain alphanumeric characters and cannot contain SQL commands.

虽然对$ _POST ['password']的mysql_real_escape_string调用是不必要的,但是你的查询对于SQL注入是安全的,因为当运行md5()时,输出将只包含字母数字字符并且不能包含SQL命令。

As for sessions, that is another matter. Many PHP developers make use of PHP's default sessions through use of functions like session_start() being called on each page that needs to support sessions, and storing information that needs to be on each page in the $_SESSION superglobal. Check out the PHP documentation for sessions over here: http://us3.php.net/manual/en/book.session.php

至于会议,这是另一回事。许多PHP开发人员通过使用在需要支持会话的每个页面上调用session_start()等函数来使用PHP的默认会话,并在$ _SESSION超全局中存储需要在每个页面上的信息。查看以下会话的PHP文档:http://us3.php.net/manual/en/book.session.php

With that being said, a custom session implementation can achieve greater security and efficiency, but that takes a good deal more work.

话虽如此,自定义会话实现可以实现更高的安全性和效率,但这需要更多的工作。