dpglo66848 2015-04-10 07:30
浏览 37
已采纳

我是否需要准备和绑定$ _SESSION变量?

My question is simple, I have this session user:

$user = $_SESSION['user'];

and I want to do a select with it:

select * from online where user='$user' order by id desc LIMIT 1

Do I need to prepare a $_SESSION variable as I do with POST and GET? If I do not, is there a chance of SQL injection?

select * from online where user=? order by id desc LIMIT 1
  • 写回答

1条回答 默认 最新

  • dtbrd80422 2015-04-10 07:48
    关注

    1. Do I need to prepare a $_SESSION variable as I do with POST and GET?

    Yes you do. It's as unsafe as a normal bald $_POST and $_GET.

    2. If I do not, is there a chance of sql injection?

    There is such a thing as Session hijacking which makes (almost) everything possible with sessions. You definitely need to look into that. As I said before a Session is as unsafe as a $_POST and $_GET. So yes you have a chance of SQL injection.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 (标签-STM32|关键词-智能小车)
  • ¥20 关于#stm32#的问题,请各位专家解答!
  • ¥15 (标签-python)
  • ¥15 第一个已完成,求第二个做法
  • ¥20 搭建awx,试了很多版本都有错
  • ¥15 java corba的客户端该如何指定使用本地某个固定IP去连接服务端?
  • ¥15 activiti工作流问题,求解答
  • ¥15 有人写过RPA后台管理系统么?
  • ¥15 Bioage计算生物学年龄
  • ¥20 如何将FPGA Alveo U50恢复原来出厂设置哇?