会话变量（$ _ SESSION）是否需要任何类型的清理

I've got a register form which works without issues, but recently it has been pointed out to me that it's a bad habit for UX , for example, if an account already exists, and I redirect the user back to the registration page, without re-populating the form he filled and only display an error message.

So I quickly figured out a nice way to fix this, if after the initial registration data checks out and an account with the respective e-mail already exists, I could just create a $_SESSION storing the $_POST data, and destroy it after re-populating the user's form.

Now my question is: are $_SESSION variables vulnerable to any type of attack, or I can go ahead and store the raw input data inside the $_SESSION, and escape it with htmlspecialchars() when re-populating the form ?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

3条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
du3932066 2014-12-30 18:45
关注
Variables in session are not vulnerable to attacks within the session. However, using those variables in other places may open up holes. For example, just because you put a get/post variable in session doesn't mean that it magically can be used directly in a query. It could still cause SQL injection issues. When considering stuff like this, you have to think about where the data originated. If it started from some sort of user input, consider it dirty.

The only place this might be a problem is if the data sent is really large and you are just blindly assigning $_SESSION['POST'] = $_POST;. There shouldn't be an issue with overflow or stuff like that. The problem will be more that php has to unserialize the data at the start of a request and reserialize at the end (typically only if a change has happened). This unserialize/serialize takes time (it may be quick, but still). I would suggest just assigning only the values you want to save.

本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(2条)

报告相同问题？

关注问题

会话变量（$ _ SESSION）是否需要任何类型的清理 php
2014-12-30 18:39

回答 3 已采纳 Variables in session are not vulnerable to attacks within the session. However, using those variab
是否可以从其他会话中访问$ _SESSION变量？ php
2013-07-29 17:42

回答 4 已采纳 This is very difficult to do with the default file based PHP sessions. By default PHP just stores
PHP Session（$ _SESSION []）正在工作甚至破坏会话 php
2013-05-26 12:11

回答 2 已采纳 After using session_destroy(), the session cookie is removed and the session is no longer stored o
php之$_SESSION的理解,session原理总结
2021-04-21 00:56

辉浪子的博客我不生产知识,只做知识的搬运工知其所以然,了解背后的思想,简单复制模仿学不到本质之前在学校的时候，只知道session与cookie的区别在于：session是保存在服务器端，cookie保存在客户端。session怎么样保存的？以...
PHP $ _SESSION，尝试访问用户表时不显示输出，当会话被终止时，会话保持活动状态 php
2018-07-24 16:04

回答 2 已采纳 (this is a comment, but its a bit long) As ADyson says, this is very confused coding. Neither you
在php中保存会话变量中的所有$ _GET变量，并再次通过$ _GET访问它们 php
2013-02-12 19:48

回答 2 已采纳 Don't do this. But to save: <?php session_start(); $_SESSION["GET"] = $_GET; ?> and to
代码不能引用我之前设置的会话（PHP 7.2） html php
2019-03-30 06:59

回答 2 已采纳 The default PHP session handling is to use cookies via a header. The fact that you get an error wh
PHP的$_SESSION变量
2016-08-11 17:56

Mr_琅的博客对于PHP变量$_SESSION使用及销毁的注意点。
实现PHP会话令牌时出现问题 html php
2018-08-29 15:41

回答 1 已采纳 There's a few problems with your code: token.php needs to output the token. Which is as simple as
会话user_name无法启动或工作[关闭] php
2015-12-04 14:10

回答 2 已采纳 1.) session_start() should be first line of your code in php, in any case session_start() must com
包含会话时我不能使用$ _FILES javascript php
2018-10-09 12:26

回答 1 已采纳 I actually figured it out. So my session was being included before I actually added it, to fix thi
php 清除指定session,PHP清除、删除Session
2021-04-26 12:53

桔了个仔的博客当使用完一个 Session 变量后，可以将其删除；当完成一个会话后，也可以将其销毁。如果用户想退出 Web 系统，就需要为他提供一个注销的功能，把他的所有信息在服务器中销毁。删除 Session 会话的方法主要有删除单个 ...
PHP - 使用$ _POST更新会话数组 php
2014-08-03 22:50

回答 4 已采纳 It looks like you're resetting the Session array with $_SESSION['items'] = array(); Leaving tha
PHP中的会话控制（二）：session
2017-02-15 18:41

taihet的博客什么是sessionsession是一种会话控制方式，将来访用户的状态信息存放于服务器之中，让其他程序能通过服务器中的文件或数据库，来存取用户信息。与cookie的区别 cookie是将用户信息存放在客户端，所以用户有权阻止...
php 常用session函数,PHP中Session常用的函数详解
2021-04-27 03:23

燕枝的博客 session_start() 会创建新会话或者重用现有会话。如果通过 GET 或者 POST 方式，或者使用 cookie 提交了会话 ID，则会重用现有会话。当会话自动开始或者通过 session_start() 手动开始的时候， PHP 内部会调用会话...
没有解决我的问题, 去提问

悬赏问题

¥15 如何在scanpy上做差异基因和通路富集？
¥20 关于#硬件工程#的问题，请各位专家解答！
¥15 关于#matlab#的问题：期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707，使系统具有较小的超调量
¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
¥30 截图中的mathematics程序转换成matlab
¥15 动力学代码报错，维度不匹配
¥15 Power query添加列问题
¥50 Kubernetes&Fission&Eleasticsearch
¥15 報錯：Person is not mapped，如何解決？
¥15 c++头文件不能识别CDialog

会话变量（$ _ SESSION）是否需要任何类型的清理

3条回答 默认 最新

悬赏问题

3条回答默认最新