堆栈内存溢出
  简体   繁体   English

使用会话的正确方法?

[英]The correct way to use sessions?

 原文  2017-11-01 07:59:04       php/ session

问题描述

I'm fairly new to PHP.我对 PHP 相当陌生。

I've made a login system for my website and I'm wondering if I'm going about this the right way.我已经为我的网站制作了一个登录系统,我想知道我是否以正确的方式处理这个问题。 On my login.php that processes the login request I have created session variables to use on my site.在处理登录请求的login.php ,我创建了会话变量以在我的站点上使用。 I am wondering if this is the most efficient/secure way to store the users data.我想知道这是否是存储用户数据的最有效/最安全的方式。

This method seems to work quite well for me.这种方法对我来说似乎很有效。 But let's say I require data from another table not including in my users table.但是假设我需要另一个表中不包括在我的用户表中的数据。 How would I go about getting that info and storing it into a session?我将如何获取该信息并将其存储到会话中? Does this leave my users vulnerable due to the browser having all this information?由于浏览器拥有所有这些信息,这是否会使我的用户容易受到攻击? or am I getting a completely wrong understanding of sessions.或者我对会话的理解完全错误。

<?php
/* User login process, checks if user exists and password is correct */

// Escape email to protect against SQL injections
$email = $mysqli->escape_string($_POST['email']);
$result = $mysqli->query("SELECT * FROM users WHERE email='$email'");

if ($result->num_rows == 0) { // User doesn't exist
    $_SESSION['message'] = "User with that email doesn't exist!";
    header("location: error.php");
} else { // User exists
    $user = $result->fetch_assoc();

    if ( password_verify($_POST['password'], $user['password']) ) {

        $_SESSION['email'] = $user['email'];
        $_SESSION['user_name'] = $user['user_name'];
        $_SESSION['active'] = $user['active'];
        $_SESSION['paid'] = $user['paid'];
        $_SESSION['bitaddress'] = $user['bitaddress'];
        $_SESSION['id'] = $user['id'];
        $_SESSION['firstName'] = $user['firstName'];
        $_SESSION['lastName'] = $user['lastName'];

        // This is how we'll know the user is logged in
        $_SESSION['logged_in'] = true;

        header("location: checksum.php");
    } else {
        $_SESSION['message'] = "You have entered wrong password, try again!";
        header("location: error.php");
    }
}

2 个解决方案

解决方案1
 4 已采纳  2017-11-01 08:07:43

your should create a methods for sessions like:您应该为会话创建一个方法,例如:

function session_start(){
  session_start()
}
function session_create($key,$value){
  return   $_SESSION[$key] = $value;
}
function session_destroy(){
  session_destroy();
}

解决方案2
 0  2017-11-01 16:02:23

As long as you use different keys, you can store data from many tables(or any other values).只要使用不同的键,就可以存储来自多个表(或任何其他值)的数据。

Sessions are stored in the server side, so your browser does not have this information.会话存储在服务器端,因此您的浏览器没有此信息。 There are still vulnerabilities though, see session hijack https://www.owasp.org/index.php/Session_hijacking_attack .但是仍然存在漏洞,请参阅会话劫持https://www.owasp.org/index.php/Session_hijacking_attack

In general, you use the sessions well.通常,您会很好地使用会话。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 正确的开始会议的方式 - Correct way to start sessions 在PHP中管理会话的正确方法? - Correct way to manage sessions in PHP? 在PHP中处理会话的正确方法 - Correct way of handling sessions in PHP 正确使用$ _POST的方式 - Correct Way to Use $_POST 正确的If语句使用方法 - Correct way to use If statements 在MVC和OO PHP中使用会话的最佳方法 - Best way to use sessions with MVC and OO PHP session_unset()是清除和重置PHP Sessions变量的正确方法吗? - is session_unset() the correct way to clear and reset PHP Sessions variables? 在mysql查询中使用NOT IN的正确方法 - The correct way to use NOT IN in a mysql query 使用访问级别的正确方法 - Correct way to use access level 正确的使用方法!is_null() - Correct way to use !is_null()
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM