您的位置: 首页  >  技术问答  >  我如何在PHP页面之间共享数据?

我如何在PHP页面之间共享数据?

分类: 技术问答 2022-03-17 16:28:14

我如何在PHP页面之间共享数据?

问题描述:

I have a PHP page and I want to share some data between pages like UserID, password.

I'm learning about sessions and I'm not sure if Im using it correctly.

<?php
require_once('database.inc');
$kUserID = $_POST['kUserID'];
$kPassword = $_POST['kPassword'];

if (!isset($kUserID) || !isset($kPassword)) { 
    header( "Location: http://domain/index.html" ); 
}

elseif (empty($kUserID) || empty($kPassword)) { 
    header( "Location: http://domain/index.html" ); 
} 
else { 
    $user = addslashes($_POST['kUserID']); 
    $pass = md5($_POST['kPassword']); 
    $db = mysql_connect("$sHostname:$sPort", $sUsername, $sPassword) or die(mysql_error()); 
    mysql_select_db($sDatabase) or die ("Couldn't select the database."); 
    $sqlQuery = "select * from allowedUsers where UserID='" . $kUserID . "' AND passwordID='" . $kPassword . "'";
    $result=mysql_query($sqlQuery, $db);
    $rowCheck = mysql_num_rows($result); 
    if($rowCheck > 0){ 
        while($row = mysql_fetch_array($result)){
            session_start();
            session_register('kUserID'); 
            header( "Location: link.php" );
       } 
    } 
    else { 
        echo 'Incorrect login name or password. Please try again.'; 
    } 
} 
?>

我有一个PHP页面,我想在UserID,password等页面之间共享一些数据。 p> \ n

我正在学习会话,我不确定我是否正确使用它。 p> 

 &lt;?php 
require_once('database.inc'  ); 
 $ kUserID = $ _POST ['kUserID']; 
 $ kPassword = $ _POST ['kPassword']; 
 
if(!isset($ kUserID)||!isset($ kPassword)){\  n header(“Location:http://domain/index.html”);  
} 
 
elseif(空($ kUserID)||空($ kPassword)){
 header(“Location:http://domain/index.html”);  
} 
else {
 $ user = addslashes($ _ POST ['kUserID']);  
 $ pass = md5($ _ POST ['kPassword']);  
 $ db = mysql_connect(“$ sHostname:$ sPort”,$ sUsername,$ sPassword)或die(mysql_error());  
 mysql_select_db($ sDatabase)或die(“无法选择数据库。”);  
 $ sqlQuery =“select * from allowedUsers其中UserID ='”。  $ kUserID。  “'和密码ID ='”。  $ kPassword。  “'”; 
 $ result = mysql_query($ sqlQuery,$ db); 
 $ rowCheck = mysql_num_rows($ result);  
 if($ rowCheck&gt; 0){
 while($ row = mysql_fetch_array($ result)){
 session_start(); 
 session_register('kUserID');  
标题(“位置:link.php”); 
} 
} 
其他{
 echo'登录名或密码不正确。 请再试一次。';  
} 
} 
?&gt;  
  code>  pre> 
  div>

For the love of all that is holy, don't use addslashes to prevent SQL injection.

I just owned your site:

Image of your ownt site http://localhostr.com/files/8f996b/Screen+shot+2010-02-23+at+7.49.00+PM.png

Edit: Even worse.

I just noticed that you're attempt at preventing injection via addslashes, isn't even being used!

<?php
$kUserID = $_POST['kUserID'];
$user = addslashes($_POST['kUserID']); // this isn't used
$sqlQuery = "select * from allowedUsers where UserID='"
  . $kUserID . "' AND passwordID='" . $kPassword . "'";

Be aware that session_register() is deprecated in favor of assigning values to the $_SESSION superglobal, e.g.

<?php
    $_SESSION['hashedValue']= '437b930db84b8079c2dd804a71936b5f';
?>

Also be aware that anything stored in a session, especially in a shared-server environment, is fair game. Never store a password, regardless of whether it's hashed or encrypted. I would avoid storing a username as well. If you must use some authentication mechanism between pages using a session variable, I'd recommend using a second lookup table, e.g. logins, and store the username, login time, etc in that table. A hashed value from that table is stored in the session, and each page request checks the time in the table and the hashed value against the database. If the request is either too old or the hash doesn't match, force re-login.

All this and more is available to you in the PHP manual section on sessions.

First, you need to put session_start() at the very beginning of your script. It also needs to go at the start of every script that uses session data. So it would also go at the top of babyRegistration.php.

Second, I would strongly recommend against using session_register() as it relies on register_globals which is off by default for security reasons. You can read more here: http://php.net/manual/en/security.globals.php. You can add/access session variables by using the $_SESSION superglobal:

$_SESSION['kUserID'] = $kUserID;

Last, not really session related, just an observation, your isset check at the top is redundant; empty will return true for an unset/NULL variable, just as you might expect.

At the top of a page

session_start();
$_SESSION['yourvarname']='some value';

then on some other page to retrieve

echo $_SESSION['yourvarname'];
// some value

Oh and about injection,use this on everything going into your db http://us3.php.net/manual/en/function.mysql-real-escape-string.php

You might also wanna rename "database.inc" to "database.inc.php", or properly setup your host to treat ".inc" as PHP:

http://www.namemybabyboy.com/database.inc

<?php
    $sDatabase = 'shayaanpsp';
    $sHostname = 'mysql5.brinkster.com';
    $sPort     = 3306;
    $sUsername = 'shayaanpsp';
    $sPassword = 'XXXX';
    $sTable    = 'allowedUsers';
?>

Just because almost everything turned into avoiding SQL injections. Escaping string is not going to save you from SQL injections. The correct way is using prepared statements. https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

相关推荐