drui0508 2014-10-16 21:58
浏览 40
已采纳

向PHP会话变量添加完整查询?

I've never thought of doing this before, and am unsure of the risks. It's a one time session for each page, replaced by the next page visited.

What's the security risk of doing something like the following? If any?

$_SESSION['somename'] = "SELECT `something` FROM `table` WHERE `something`='blah'";

Is this a safe method, if not, what's a safer method to store a one time query that will be replaced?

It's probably safer to store queries within a temp mysql table. But I want to avoid additional mysql calls.

  • 写回答

2条回答 默认 最新

  • drgbpq5930 2014-10-16 22:08
    关注

    It is not a safe way to set variable with PHP due to the potential of exposing table names that can potentially be DROPPED via SQL injection. Now, session variables are stored on the server and can not be accessed by the browser. However, why introduce a bad habit that could cause someone less savvy on your dev team to use that to set a cookie? Then you have a large problem that started out being benign. It is better to just place data in your PHP session variables that act as a user identifier.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 phython如何实现以下功能?查找同一用户名的消费金额合并—
  • ¥15 孟德尔随机化怎样画共定位分析图
  • ¥18 模拟电路问题解答有偿速度
  • ¥15 CST仿真别人的模型结果仿真结果S参数完全不对
  • ¥15 误删注册表文件致win10无法开启
  • ¥15 请问在阿里云服务器中怎么利用数据库制作网站
  • ¥60 ESP32怎么烧录自启动程序
  • ¥50 html2canvas超出滚动条不显示
  • ¥15 java业务性能问题求解(sql,业务设计相关)
  • ¥15 52810 尾椎c三个a 写蓝牙地址