2016-04-05 22:07
浏览 51

使用超全局$ _SESSION变量验证表单是否安全?

I have a form and when I submit it, I do an AJAX call to my server. On the server-side, I verify the informations by comparing them with some variables in the superglobale $_SESSION like below :

HeCanBuyIt = $ajaxData->priceProduct <= $_SESSION["user"]->moneyOfUser;

I am not sure if it is safe or not to do that (Can the user change the "moneyOfUser" variable in his session?).

I can also read the user from the database but it cost the time of a SELECT... I know it's not so slow but I prefer the fastest way.

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • doudu2515 2016-04-05 22:15

    All values in the $_SESSION variable are stored only on the server. The client is only given a session ID, which is stored in a cookie in their browser. There is no way for a user to view or manipulate the values in their $_SESSION unless you have explicitly coded that into your program.

    See also: How do PHP sessions work? (not "how are they used?")

    解决 无用
    打赏 举报

相关推荐 更多相似问题