要理解PHP的include -command [英] To understand PHP's include -command

查看:179
本文介绍了要理解PHP的include -command的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我希望文件 handler_login.php 中的所有变量都可以访问,文件 handler_question.php中我包含 / em>的。 handler_question.php 处理以下表单中的数据。

I would like to have all variables accessible of the file handler_login.php which I include in the file handler_question.php. The handler_question.php processes the data from the following form.

我的form_question.php 

<form method="post" action="handler-question.php">
    <p>Title:
        <input name="question_title" type="text" cols="92" />
    </p>
    <p>Question:
        <div id="wmd-container" class="resizable-textarea">
                <textarea id="input" class="textarea" tabindex="101" rows="15" cols="92" name="question_body" /></textarea>
        </div>
    </p>

    <p>Tags:
        <input name="tags" type="text" cols="92" />
    </p> 

    <input type="submit" value="OK" />
</form>

以下文件是最后一个文件包含的内容

The following file is what the last file includes

我的handler_login.php 

<?php

// independent variables
$dbHost = "localhost";
$dbPort = 5432;
$dbName = "masi";
$dbUser = "masi";
$dbPassword = "123456";

$conn = "host=$dbHost port=$dbPort dbname=$dbName user=$dbUser password=$dbPassword";

// you can store the username and password to $_SESSION variable
$dbconn = pg_connect($conn);

if(!$dbconn) {
    exit;
}

$sql = "SELECT username, passhash_md5, email
    FROM users
    WHERE username = '{$_POST['username']}'
    AND email = '{$_POST['email']}'
    AND passhash_md5 = '{$_POST['password']}';";

$result = pg_query($dbconn, $sql);
if(!$result) {
    exit;
}

$username = $_POST['username'];
$passhash_md5 = md5($_POST['password']);


 // COOKIE setting /*{{{*/

 /* $cookie may look like this:
   variables
        $username = "username"
        $passhash_md5 = "password-in-md5"
   before md5:
        "usernamepasshash_md5"
   after md5:
        "a08d367f31feb0eb6fb51123b4cd3cb7"
 */

$login_cookie = md5(
    $username .
    $passhash_md5
);

$sql3 = "SELECT passhash_md5


            FROM users
            WHERE username=$_POST['username'];";

$password_data_original = pg_query($dbconn, $sql3);

while ($row = pg_fetch_row($data)) {
    $password_original = $row[0];
}

$login_cookie_original = md5(
    $username .
    $password_original
);


// Check for the Cookie
if (isset($_COOKIE['login']) )
{

    // Check if the Login Form is the same as the cookie
    if ( $login_cookie_original == $login_cookie )
    {
        header("Location: index.php");
        die("logged in");
    }
    header("Location: index.php");
    die("wrong username/password");
}
    // If no cookie, try logging them in
else
{
    //Get the Data
    // we do not want SQL injection so we use pg_escape_string
    $sql2 = sprintf("SELECT * from users
                    WHERE passhash_md5='%s',
                    pg_escape_string($login_cookie));
    $raw_user_list = pg_query($dbconn, $sql2);

    if ($user = pg_fetch_row($row_user_list)) {
        setcookie ("login", $login_cookie);
        header("Location: index.php");
        die("logged in");
    } else {
        header("Location: index.php");
        die("wrong username/password");
    }
}

pg_close($dbconn);
?>

最后我的handler_question.php出现问题 

<?php

include 'handler-login.php';                         // This is the problem

$question_body = '{$_POST['question_body']}'        // I get an error right from the beginning
$question_title = '{$_POST['question_title']}'

$sql_questions_question_id = "SELECT question_id FROM users 
                              WHERE username = $username;"
// $username comes from handler_login.php

$questions_question_id = pg_query($dbconn, $sql_questions_question_id);

// to get tags to an array 
$tags = '{$_POST['question_tags']}'; 
$tags_trimmed = trim($tags);
$tags_array = explode(",", $tags_trimmed);

// to save the cells in the array to db
$sql_tags_insert = "INSERT INTO tags (tag, questions_question_id)
                    VALUES (for ($i = 0; $i < count($tags_array); $i++)"


$sql = "SELECT username, passhash_md5, email
    FROM users
    WHERE username = '{$_POST['username']}'       
    AND email = '{$_POST['email']}' 
    AND passhash_md5 = '{$_POST['password']}';";

$result = pg_query($dbconn, $sql);
if(!$result) {
    exit;
}

$username = $_POST['username'];
$passhash_md5 = md5($_POST['password']);


pg_close($dbconn);

?>

如何才能访问handler_login.php的所有变量? by handler_question.php?

推荐答案

我知道这不是你提出的问题的答案,但是因为你标记了我想这个初学者比如说,你不能信任来自用户的任何数据。

I know this is not the answer to the question you asked but since you tagged this beginner I would just like to say, you cannot trust any data from users.

一旦你打开网站就冒了sql注入和xss攻击的风险。

As soon as you do you open your site to the risk of sql injections and xss attacks.

您需要验证所有输入并逃脱来自用户的所有输出。

You need to validate all input and escape all output that comes from a user.

如果使用引号和其他sql字符,在sql中使用来自用户的未经过处理的数据可能会无意中破坏sql语句。但更重要的是,它可能会导致sql注入非常错误的东西,比如删除表和管理帐户。

Using unsanitized data from the user in your sql could unintentionally break the sql statement if quotes and other sql characters are used. But more importantly it could result in sql injection with very bad things like tables being dropped and admin accounts being comprised.

看看类型转换验证和清理变量并使用 PDO 和准备好的陈述。如果您无法使用 PDO ,请使用 pg_escape_string

Look at typecasting, validating and sanitizing variables and using PDO with prepared statements. If PDO is not available to you use pg_escape_string.

逃避输出可能导致攻击者将代码插入您的站点(xss),例如可能允许他们窃取您和您的用户的密码和cookie。他们还可以使用隐藏的垃圾邮件链接填充您的网站,如果谷歌首先发现该网站将被列入黑名单。

Not escaping the output could result in an attacker inserting code into your site (xss) which for example could allow them to steal passwords and cookies from you and your users. They could also fill your site you with hidden spam links, if google finds out first the site will be blacklisted.

这篇关于要理解PHP的include -command的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆