PHP SESSION在网站中是否安全,用于插入MySql数据
[英]Is PHP SESSION safe in website for inserting MySql data
问题描述
I have a website where I create session of a UserID if login Successful . 
我有一个网站,如果登录成功,我会创建一个UserID的会话。
$email = mysql_real_escape_string($_POST["email"]);
if(LOGIN SUCCESSFUL) {
$_SESSION['userID'] = $email;
}
Then in whole site where ever I enter any data into MySql, I insert user_id from $_SESSION['userID'] 然后在我将任何数据输入MySql的整个站点中,我从$_SESSION['userID']插入user_id
I don't know how secure it is, if not please suggest me any secure way to do all this. 我不知道它有多安全,如果没有,请告诉我任何安全的方法来做这一切。
3 个解决方案
解决方案1
5 已采纳 2014-01-18 14:31:31
There's nothing fundamentally wrong with it - anything you store in $_SESSION is, as Barmar already said, reasonable secure. 它没有任何根本性的错误 - 正如Barmar所说,你在$_SESSION存储的任何东西都是合理安全的。 However, using the user's E-Mail as the primary ID internally, and storing the user ID directly in $_SESSION , is not a great idea architecturally. 但是,在内部使用用户的电子邮件作为主ID,并将用户ID直接存储在$_SESSION ,在架构上不是一个好主意。
The more common approach is to be a bit more abstract: store only a session ID in $_SESSION . 更常见的方法是更抽象:在$_SESSION仅存储会话ID。
That ID often points to a "sessions" database table. 该ID通常指向“会话”数据库表。 There is a record for each session in that table, and its status - when it was created, when it's going to time out, whether the user is logged in, etc. 该表中的每个会话都有一条记录,其状态 - 创建时间,超时时间,用户是否登录等。
You can theoretically store all this directly in $_SESSION but then you have no central place where you can see who is currently logged in, which is important for troubleshooting, and log out everyone at once. 理论上你可以将所有这些直接存储在$_SESSION但是你没有中心位置,你可以看到谁当前登录,这对于故障排除很重要,并立即注销所有人。
That "sessions" table will contain a user ID, which points to a separate "users" table. “sessions”表将包含一个用户ID,该用户ID指向单独的“users”表。 That ID is ideally a numeric auto-increment value, and the E-Mail is just a column in the users table. 该ID理想情况下是一个数字自动增量值,而电子邮件只是users表中的一列。 That allows relations to other tables to stay intact even when the E-Mail changes. 即使电子邮件发生变化,这也允许与其他表的关系保持不变。 Using the ID, you can get the E-Mail address from that table. 使用该ID,您可以从该表中获取电子邮件地址。
It's more complicated but it saves you a lot of trouble in edge cases, eg when a user changes their E-Mail address. 它更复杂但在边缘情况下可以省去很多麻烦,例如当用户更改其电子邮件地址时。
解决方案2
3 2014-01-18 14:32:15
Session data is reasonably secure. 会话数据相当安全。 It's held on the server, not the client. 它保存在服务器上,而不是客户端上。 The only thing the client has is a session ID string, which is a random string that the server uses to find the session data in its files. 客户端唯一拥有的是会话ID字符串,它是服务器用于在其文件中查找会话数据的随机字符串。
解决方案3
1 2014-01-18 14:30:13
When inserting anything in a database, make sure it's safe. 在数据库中插入任何内容时,请确保它是安全的。 You're already using mysql_real_escape_string() , which is a good start, since it will prevent most common SQL injection problems (not all though!). 你已经在使用mysql_real_escape_string() ,这是一个很好的开始,因为它可以防止大多数常见的SQL注入问题(尽管不是全部!)。
Since you're expecting an email address, it might also be wise to use filter_var() , since it allows you to check if it is in fact a valid address. 由于您期望使用电子邮件地址,因此使用filter_var()也是明智之举,因为它允许您检查它是否实际上是有效地址。
if (filter_var($email, FILTER_VALIDATE_EMAIL))
{
// Email is valid, do something with it.
}
Once you've made sure it's safe, you can use it in the database where ever you like. 一旦确定它是安全的,您可以在任何您喜欢的数据库中使用它。 You no longer need to escape it for every query, since you've already ensured it is safe. 您不再需要为每个查询转义它,因为您已经确保它是安全的。 If you really want to be safe, use the users ID (not their email), since numeric values are almost impossible to put junk in. 如果你真的想要安全,请使用用户ID(而不是他们的电子邮件),因为数字值几乎不可能放入垃圾邮件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.