我正在为我的项目使用 jsGrid。在此处查看原始源代码我想在 fetch 中传递一个额外的变量调用 $user_session 以用于 mysql 选择查询.php但失败了。以下是我一直在尝试的内容。<script>var user_session = "<?php echo $user_session; ?>"; //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<//...... controller: { loadData: function(){ return $.ajax({ type: "GET", url: "fetch_data.php", data: {user_session:user_session} //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< }); }, //......这是回迁.php文件<?phpif($method == 'GET'){ $user_session = $_GET['user_session']; //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< $query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC"; $statement = $connect->prepare($query); $statement->execute($user_session); //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< $result = $statement->fetchAll(); foreach($result as $row) { $output[] = array( 'id' => $row['id'], 'first_name' => $row['first_name'], 'last_name' => $row['last_name'], 'age' => $row['age'], 'gender' => $row['gender'] ); } header("Content-Type: application/json"); echo json_encode($output);}//......?>正确的方法是什么?
3 回答
慕田峪7331174
TA贡献1828条经验 获得超13个赞
首先,任何人都可以在浏览器中打开开发控制台并开始模糊会话ID。当您正确准备查询,化解sql注入时,它并不能保护您免受IDOR的侵害,或者,我可以通过重复查询您的应用程序来枚举您的用户。
如果您真的想在客户端传递会话ID,也许您可以考虑使用cookie,因为它不太容易被普通用户编辑。
梵蒂冈之花
TA贡献1900条经验 获得超5个赞
我可以通过这种方式做到这一点。
<script>
//......
controller: {
loadData: function(filter){
var user_session = "<?php echo $user_session; ?>"; //<<<<<<<<<<<<<<<<<<<<<<<<<<<
return $.ajax({
type: "GET",
url: "fetch_data.php",
data: {filter,
user_session:user_session //<<<<<<<<<<<<<<<<<<<<<<<<<<<
},
});
},
//......
</script>
在获取中.php我这样做。
<?php
if($method == 'GET')
{
$user_session = $_GET['user_session'];//<<<<<<<<<<<<<<<<<<<<<<<<<<<
$query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";
$statement = $connect->prepare($query);
$statement->execute([$user_session]); //<<<<<<<<<<<<<<<<<<<<<<<<<<<
$result = $statement->fetchAll();
foreach($result as $row)
{
$output[] = array(
'id' => $row['id'],
'first_name' => $row['first_name'],
'last_name' => $row['last_name'],
'age' => $row['age'],
'gender' => $row['gender']
);
}
header("Content-Type: application/json");
echo json_encode($output);
}
//......
?>
手掌心
TA贡献1942条经验 获得超3个赞
最后,我找到了更好的方法。
我可以直接在抓取.php内调用$user_会话。
<?php
require('user_session.php'); //<<<<<<<<<<<<<<<<<<<<<<<<<<<
require('includes/db.php');
$method = $_SERVER['REQUEST_METHOD'];
if($method == 'GET')
{
$query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";
$statement = $conn->prepare($query);
$statement->execute([$user_session]); //<<<<<<<<<<<<<<<<<<<<<<<<<<<
$result = $statement->fetchAll();
foreach($result as $row)
{
$output[] = array(
'ChildID' => $row['ChildID'],
'Name' => $row['Name'],
'BirthDate' => $row['BirthDate'],
'Gender' => $row['Gender'],
'StudyorWorking' => $row['StudyorWorking'],
'CourseorOccupation' => $row['CourseorOccupation'],
'Married' => $row['Married']
);
}
header("Content-Type: application/json");
echo json_encode($output);
}
?>
- 3 回答
- 0 关注
- 113 浏览
添加回答
举报
0/150
提交
取消