I log in a user, and in my PHP script, I make a session variable and assign username to it (as it is unique).
我登录一个用户,在我的PHP脚本中,我创建一个会话变量并为其分配用户名(因为它是唯一的)。
<?php
session_start();
//$username= getting username from database and all after loggin
$_SESSION['user_of_mywebsie']=$username;
// using $username now
Now is this the right and safe way? If not, what can be done? Now session is created with username in it ..
现在这是正确而安全的方式吗?如果没有,可以做些什么?现在使用用户名创建会话..
$sql_query=mysql_query("SELECT * FROM people WHERE username='$_SESSION['user_of_mywebsite']'");
while($row=mysql_fetch_assoc($sql_query))
{
$name=$row['name'];
$profile_pic=$row['pro_pic_location'];
}
//now i will use $name and $profile_pic furthur
4 个解决方案
#1
2
No not correct. Your code is vulnerable to SQL injection. What if my username is something like Robert'); DROP TABLE Students;--?
不,不正确。您的代码易受SQL注入攻击。如果我的用户名像Robert'),该怎么办? DROP TABLE学生; - ?
You should really at the very minimum escape the data or even better use prepared statements and bound parameters.
您应该至少逃避数据,甚至更好地使用预准备语句和绑定参数。
How can I prevent SQL injection in PHP?
如何在PHP中阻止SQL注入?
Also you are using a deprecated database API. Either use mysqli_* or PDO.
您还使用了不推荐使用的数据库API。使用mysqli_ *或PDO。
#2
1
This is totally right ! The $_SESSION var will only contain info for a specific visitor of your website, regardless whatever you have written into the $_SESSION (but, to be fair, there are some possibilties to read "foreign" sessions, for example when using shared hosting or multi-app-setups etc).
这是完全正确的! $ _SESSION var将仅包含您网站的特定访问者的信息,无论您写入$ _SESSION的是什么(但是,公平地说,有一些可能会阅读“外国”会话,例如使用共享托管或多应用程序设置等)。
I'm doing it exactly like this (which is nearly same as yours)
我正是这样做的(和你的几乎一样)
$_SESSION['user_name'] = $result_row->user_name;
in my PHP login script (which is the most starred, downloaded and forked one on github, and has been checked by some people who are very picky). See more of the script here on github.
在我的PHP登录脚本中(这是github上最明星,下载和分叉的脚本,并且已被一些非常挑剔的人检查过)。在github上查看更多脚本。
#3
1
This will store the username in the session, but is not particularly secure.
这会将用户名存储在会话中,但不是特别安全。
If the only thing you are holding in the session is the username, this is probably fine, but if you have personal information stored in the users session, you might want to think about adding some security.
如果您在会话中唯一持有的是用户名,这可能没问题,但如果您在用户会话中存储了个人信息,则可能需要考虑添加一些安全性。
I found this handy looking quick tutorial for session safety http://phpsec.org/projects/guide/4.html
我找到了这个方便快捷的会话安全教程http://phpsec.org/projects/guide/4.html
Furthermore, If you are new to php programming, it is probably better to use one of the frameworks that implements user management, as this has been done many times before, tested and perfected. No need to reinvent the wheel here.
此外,如果您不熟悉php编程,最好使用其中一个实现用户管理的框架,因为之前已经多次完成,测试和完善。无需在这里重新发明*。
If you do use a framework, you can check out this question about frameworks and user management and particularly this answer : https://*.com/questions/10153619/looking-for-a-well-written-user-management-framework#10624058
如果您使用框架,可以查看有关框架和用户管理的问题,特别是这个答案:https://*.com/questions/10153619/looking-for-a-well-written-user-management-framework #10624058
#4
0
It will work, but you have to pay attention to two things:
它会起作用,但你必须注意两件事:
- you have to be sure that there are NOT two or more users with the same name;
- 你必须确保没有两个或更多用户具有相同的名称;
- what happens if a loggedin user (username whom session is valid) is deleted and another with the same name is created?
- 如果已删除登录用户(会话有效的用户名)并创建另一个具有相同名称的用户,会发生什么?
In those cases it may happens that a user still in session can find itself logged in... but as another user!
在这些情况下,可能会发生仍在会话中的用户发现自己已登录...但作为另一个用户!
Try to put a unique userid in session instead.
尝试在会话中添加唯一的用户ID。
#1
2
No not correct. Your code is vulnerable to SQL injection. What if my username is something like Robert'); DROP TABLE Students;--?
不,不正确。您的代码易受SQL注入攻击。如果我的用户名像Robert'),该怎么办? DROP TABLE学生; - ?
You should really at the very minimum escape the data or even better use prepared statements and bound parameters.
您应该至少逃避数据,甚至更好地使用预准备语句和绑定参数。
How can I prevent SQL injection in PHP?
如何在PHP中阻止SQL注入?
Also you are using a deprecated database API. Either use mysqli_* or PDO.
您还使用了不推荐使用的数据库API。使用mysqli_ *或PDO。
#2
1
This is totally right ! The $_SESSION var will only contain info for a specific visitor of your website, regardless whatever you have written into the $_SESSION (but, to be fair, there are some possibilties to read "foreign" sessions, for example when using shared hosting or multi-app-setups etc).
这是完全正确的! $ _SESSION var将仅包含您网站的特定访问者的信息,无论您写入$ _SESSION的是什么(但是,公平地说,有一些可能会阅读“外国”会话,例如使用共享托管或多应用程序设置等)。
I'm doing it exactly like this (which is nearly same as yours)
我正是这样做的(和你的几乎一样)
$_SESSION['user_name'] = $result_row->user_name;
in my PHP login script (which is the most starred, downloaded and forked one on github, and has been checked by some people who are very picky). See more of the script here on github.
在我的PHP登录脚本中(这是github上最明星,下载和分叉的脚本,并且已被一些非常挑剔的人检查过)。在github上查看更多脚本。
#3
1
This will store the username in the session, but is not particularly secure.
这会将用户名存储在会话中,但不是特别安全。
If the only thing you are holding in the session is the username, this is probably fine, but if you have personal information stored in the users session, you might want to think about adding some security.
如果您在会话中唯一持有的是用户名,这可能没问题,但如果您在用户会话中存储了个人信息,则可能需要考虑添加一些安全性。
I found this handy looking quick tutorial for session safety http://phpsec.org/projects/guide/4.html
我找到了这个方便快捷的会话安全教程http://phpsec.org/projects/guide/4.html
Furthermore, If you are new to php programming, it is probably better to use one of the frameworks that implements user management, as this has been done many times before, tested and perfected. No need to reinvent the wheel here.
此外,如果您不熟悉php编程,最好使用其中一个实现用户管理的框架,因为之前已经多次完成,测试和完善。无需在这里重新发明*。
If you do use a framework, you can check out this question about frameworks and user management and particularly this answer : https://*.com/questions/10153619/looking-for-a-well-written-user-management-framework#10624058
如果您使用框架,可以查看有关框架和用户管理的问题,特别是这个答案:https://*.com/questions/10153619/looking-for-a-well-written-user-management-framework #10624058
#4
0
It will work, but you have to pay attention to two things:
它会起作用,但你必须注意两件事:
- you have to be sure that there are NOT two or more users with the same name;
- 你必须确保没有两个或更多用户具有相同的名称;
- what happens if a loggedin user (username whom session is valid) is deleted and another with the same name is created?
- 如果已删除登录用户(会话有效的用户名)并创建另一个具有相同名称的用户,会发生什么?
In those cases it may happens that a user still in session can find itself logged in... but as another user!
在这些情况下,可能会发生仍在会话中的用户发现自己已登录...但作为另一个用户!
Try to put a unique userid in session instead.
尝试在会话中添加唯一的用户ID。