堆栈内存溢出
  简体   繁体   English

通过jquery javascript函数使用SESSION变量更新MySQL

[英]Updating MySQL using SESSION variables via a jquery javascript function

 原文  2009-03-13 02:14:16       php/ jquery/ mysql

问题描述

I currently have a javascript file 'score.js' which makes use of jQuery.js, which is being called correctly via a link. 我目前有一个javascript文件“ score.js”,该文件利用了jQuery.js,可以通过链接正确调用它。 The code in score.js is: score.js中的代码是: 

function originalUpdateScore(answer,correct){
if (answer == correct) 
{    
$.post('updateScore.php');  
}
window.location.reload(true);
}

This function calls 'updateScore.php': 该函数调用“ updateScore.php”: 

<?php
include("dbstuff.inc");
$con = mysqli_connect($host, $user, $passwd, $dbname)
or die ("Query died: connection");  

$updateScore = "UPDATE `user` SET `tempScore`=`tempScore`+1
    WHERE (user.Username='$_SESSION[logname]')";

mysqli_query($con, $updateScore);

?>

However the database is not being updated correctly. 但是,数据库未正确更新。 If I replace the line: 如果我替换行: 

$updateScore = "UPDATE `user` SET `tempScore`=`tempScore`+1 
               WHERE (user.Username='$_SESSION[logname]')";

with: 与: 

$updateScore = "UPDATE `user` SET `tempScore`=`tempScore`+1 
               WHERE (user.Username='123pf')";

Where 123pf is the value that the SESSION variable contains in the php file calling the javascript it updates correctly. 其中123pf是SESSION变量包含在调用javascript的php文件中的值,它可以正确更新。 Why does using the session variable not work? 为什么使用会话变量不起作用? Am I calling it incorrectly in the query? 我在查询中打错了吗?

Thanks in advance. 提前致谢。

3 个解决方案

解决方案1
 5  2009-03-13 02:19:29

Are you calling session_start anywhere inside updateScore.php? 您要在updateScore.php内的任何地方调用session_start吗?

If you haven't started the session I do not believe that session variables will be available. 如果您尚未开始会话,那么我认为会话变量将不可用。

解决方案2
 1  2009-03-13 02:47:16

also, do you have complete control over $_SESSION['logname']? 此外,您是否完全控制$ _SESSION ['logname']? If not, someone could easily change their logname to inject SQL and damage/compromise your database. 如果不是这样,某人可以轻松更改其登录名以注入SQL并破坏/破坏您的数据库。 For example, if they were able to set their logname to be this, you could lose your user table: 例如,如果他们能够将其日志名设置为此,则可能会丢失用户表: 

$_SESSION['logname']="'; DROP TABLE user;-- ";

You're opening yourself right up to cheaters by playing like this. 通过这样的游戏,您可以向作弊者敞开大门。 Under this scenario, any user could visit updateScore.php at any time to increase their stats, since that script neither checks their answer nor checks for a token that the JS builds to say the score is ok. 在这种情况下,任何用户都可以随时访问updateScore.php以增加其统计信息,因为该脚本既不会检查其答案,也不会检查JS构建的令牌以表明分数还可以。 It is a bad idea to keep this kind of logic on the front-end (javascript) without also having it verified on the back end (PHP); 将这种逻辑保留在前端(javascript)而不在后端(PHP)进行验证是一个坏主意; javascript & AJAX are very helpful shortcuts that can improve user experience, but they cannot be trusted as sole validity checkers. javascript和AJAX是非常有用的快捷方式,可以改善用户体验,但是它们不能被视为唯一的有效性检查器。

解决方案3
 0  2009-03-13 13:17:35

这可能只是转录错误,但是您在问题中显示的代码使用$ _SESSION [logname],应该为$ _SESSION ['logname']。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 通过onClick javascript函数使用PHP更新MySql数据库 - Updating a MySql database using PHP via an onClick javascript function 在链接直接之前通过javascript / jquery清空PHP Session变量 - Emptying PHP Session variables via javascript/jquery before Link direct 使用Ajax更新$ _SESSION变量 - Updating $_SESSION variables using Ajax 使用javascript函数和变量结合PHP和MYSQL - Using javascript function and variables in combination with PHP and MYSQL 在函数上使用$ _SESSION变量 - Using $_SESSION variables on a function 通过jQuery Ajax更新MySQL语句不起作用 - Updating MySQL statement via jQuery Ajax not working 更新会话变量 - Updating session variables PHP的不更新会话变量? - php not updating session variables? 使用jQuery Ajax更新PHP会话变量 - Updating PHP session variable using jQuery Ajax PHP会话变量不更新 - php session variables not updating
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM