mysql和php-根据登录的用户从数据库中检索数据
[英]mysql and php - Retrieving data from database based on user logged in
问题描述
before I go ahead and attempt to create a website, I wanted to know if pulling a users content from a database depending on which user is logged in can be determined by a $_SESSION variable. 
在继续尝试创建网站之前,我想知道是否可以通过$ _SESSION变量确定是否根据登录的用户从数据库中提取用户内容。 So for example if I want all the messages for user 'example': 因此,例如,如果我想要用户“ example”的所有消息:
$_SESSION['username'] = $_POST['username'] // set when the user logs in
$username = $_SESSION['username']
$data = mysql_query("Select * from messagesTable where username = '$username'")
while($row = mysql_fetch_array($data)) {
echo $row['message']
}
I wanted to know if this would be the right way to do something like this and also if its safe to return (personal) data based on a session variable. 我想知道这是否是执行类似操作的正确方法,以及它是否可以安全地基于会话变量返回(个人)数据。
I haven't got that much experience in either of these languages but I like to learn with experience, please tell me if it's not clear. 我在这两种语言中都没有太多的经验,但是我想学习经验,请告诉我不清楚的地方。 Thanks. 谢谢。
4 个解决方案
解决方案1
3 已采纳 2011-12-29 02:58:15
It is safe to return user data based on a $_SESSION variable if you are certain of its validity because you set it yourself in code. 如果您确定$_SESSION变量的有效性,那么可以安全地返回该用户数据,因为您可以自己在代码中进行设置。 It is not safe to return data based on a session variable that you get from $_POST . 根据从$_POST获得的会话变量返回数据是不安全的 。
You initially set 您最初设定
$_SESSION['username'] = $_POST['username'];
So unless you have verified with a password or otherwise that this user is who he claims to be, you should not use $_POST['username'] to return other information. 因此,除非您已使用密码验证或以其他方式确认此用户是他声称的身份,否则您不应使用$_POST['username']返回其他信息。 If your login process (which we cannot see above) already verifies that $_POST['username'] is valid, you can use it as a source to retrieve additional information. 如果您的登录过程(我们在上面看不到)已经验证了$_POST['username']有效,则可以将其用作检索其他信息的源。
You will need also to filter against SQL injection: 您还需要过滤SQL注入:
$_SESSION['username'] = mysql_real_escape_string($_POST['username']);
解决方案2
0 2011-12-29 02:57:02
这不是标准的,并且可能不安全,因为即使无法打开浏览器选项卡,phpsession仍保持打开状态,因为直到关闭浏览器后cookie才会缓和,您也可以将post参数发送到网站,并且也可以获取信息,因此登录脚本要高级一些,您可以像具有在登录时生成的唯一键,当它们使用javascript离开站点时删除Cookie之类的东西。
解决方案3
0 2011-12-29 03:02:30
It wouldnt be the correct way to do it no. 这不是正确的方法。
May i suggest you go read the php/mysql docs and or a good book before attempting a website. 我可以建议您在尝试建立网站之前先阅读php / mysql文档或一本好书。
You also need to look into security(session hijacking, cross scripting, mysql attacks, form tokens, login systems, user roles/permissions). 您还需要研究安全性(会话劫持,交叉脚本,mysql攻击,表单令牌,登录系统,用户角色/权限)。 Google search is your friend... Google搜索是您的朋友...
解决方案4
-2 2017-03-24 11:49:11
<?php
session_start();
$username="";
if($_SESSION['username']==true){
$username=$_SESSION['username'];
$conn=mysql_connect('localhost','user','passwd') or die("Unable
to connect to database" .mysql_error());
mysql_select_db('DBName') or die(mysql_error());
$sql="SELECT * FROM tablename WHERE username='$username'";
$retval=mysql_query($sql, $conn) or die("Could not perform query"
.mysql_error());
while($row=mysql_fetch_array($retval)){
echo {$row['message']};
}
mysql_free_result($retval);
mysql_close($conn);
}
else{
return false;
header("Location:login.php");
}
?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.