dpglo66848 2015-04-10 07:30
浏览 37
已采纳

我是否需要准备和绑定$ _SESSION变量?

My question is simple, I have this session user:

$user = $_SESSION['user'];

and I want to do a select with it:

select * from online where user='$user' order by id desc LIMIT 1

Do I need to prepare a $_SESSION variable as I do with POST and GET? If I do not, is there a chance of SQL injection?

select * from online where user=? order by id desc LIMIT 1
  • 写回答

1条回答 默认 最新

  • dtbrd80422 2015-04-10 07:48
    关注

    1. Do I need to prepare a $_SESSION variable as I do with POST and GET?

    Yes you do. It's as unsafe as a normal bald $_POST and $_GET.

    2. If I do not, is there a chance of sql injection?

    There is such a thing as Session hijacking which makes (almost) everything possible with sessions. You definitely need to look into that. As I said before a Session is as unsafe as a $_POST and $_GET. So yes you have a chance of SQL injection.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 想问一下stata17中这段代码哪里有问题呀
  • ¥15 flink cdc无法实时同步mysql数据
  • ¥100 有人会搭建GPT-J-6B框架吗?有偿
  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决