奇怪的PDO行为 [英] strange PDO behaviour
问题描述
几个小时后,即使答案可能对其他人显而易见,我也必须发布此问题.
After some hours I have to post this question even if the answer maybe obvious to someone else.
问题是我想测试令牌,但是即使我对此进行硬编码,我仍然会无效.而且我知道它一定是正确的,因为我直接在PHPADMIN中对其进行了测试.奇怪的是,它总是第一次通过(没有经过硬编码),但是之后就没用了? 令牌是从Cookie中检索的.
The problem is that I want to test for the tokens, but even when I hardcode this, I still get INVALID. And I know it has to be right, because I tested it in PHPADMIN directly. What's odd is that it always passes the first time (without being hardcoded), but after that it is useless? The tokens are retrieved from a cookie.
public function findTriplet($credential, $token, $persistentToken) {
$token = "459078a3b05ce938ed58f9678ac78f1agcgfsewe4";
$persistentToken = "24d317b742da89ddf5b8ed50993d0f3cgcgfsewe4";
$credential ="34";
$q = "SELECT IF(SHA1(?) = {$this->tokenColumn}, 1, -1) AS token_match " .
"FROM {$this->tableName} WHERE {$this->credentialColumn} = ? " .
"AND {$this->persistentTokenColumn} = SHA1(?) LIMIT 1 ";
$query = $this->db->prepare($q);
$query->execute(array($token, $credential, $persistentToken));
$result = $query->fetchColumn();
if (!$result) {
return self::TRIPLET_NOT_FOUND;
} else if ($result == 1) {
return self::TRIPLET_FOUND;
} else {
return self::TRIPLET_INVALID; }
}
编辑
limit子句始终捕获其找到的第一行,因此我 总是不匹配现在我必须解决这个问题.
The limit clause always catches the first row it finds, therefore I always get a mismatch Now I have to fix this.
解决方案很简单.在插入带有新生成的令牌的新行之前,删除刚刚验证的条目.新行应包含您刚刚针对其进行验证的SAME persistenceToken.请记住,这仍然是不安全的,因此请在服务器端设置一个FLAG,使其成为cookielogin,并要求使用REAL LOGIN来处理重要数据.
The solution was simple. Delete the entry that was just validated before inserting a new row with the newly generated token. The new row should contain the SAME persistenceToken you just validated against. REMEMBER, this will still be UNSECURE, so set a FLAG on the serverside that this was a cookielogin, and require a REAL LOGIN for handling important data.
推荐答案
我认为您的if
检查顺序错误:
I think your if
checks are in the wrong order:
if(!$result) { return self::TRIPLET_NOT_FOUND;}
elseif ($result == 1) { return self::TRIPLET_FOUND;}
else { return self::TRIPLET_INVALID;}
在SQL中,1表示已找到,-1表示未找到,其他都将无效.但是在PHP中,-1将落入else
子句并返回self::TRIPLET_INVALID
,而无效结果将落入if(!$result)
并返回self::TRIPLET_NOT_FOUND
.
In the SQL, 1 means found, -1 means not found, and anything else would be invalid. But in the PHP, a -1 would fall into the else
clause, and return self::TRIPLET_INVALID
, whereas an invalid result would fall into if(!$result)
and return self::TRIPLET_NOT_FOUND
.
这篇关于奇怪的PDO行为的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!