奇怪的PDO行为 [英] strange PDO behaviour

问题描述

几个小时后，即使答案可能对其他人显而易见，我也必须发布此问题.

After some hours I have to post this question even if the answer maybe obvious to someone else.

问题是我想测试令牌，但是即使我对此进行硬编码，我仍然会无效.而且我知道它一定是正确的，因为我直接在PHPADMIN中对其进行了测试.奇怪的是，它总是第一次通过(没有经过硬编码)，但是之后就没用了? 令牌是从Cookie中检索的.

The problem is that I want to test for the tokens, but even when I hardcode this, I still get INVALID. And I know it has to be right, because I tested it in PHPADMIN directly. What's odd is that it always passes the first time (without being hardcoded), but after that it is useless? The tokens are retrieved from a cookie.

public function findTriplet($credential, $token, $persistentToken) {

    $token = "459078a3b05ce938ed58f9678ac78f1agcgfsewe4";
    $persistentToken = "24d317b742da89ddf5b8ed50993d0f3cgcgfsewe4";
    $credential ="34";
    $q = "SELECT IF(SHA1(?) = {$this->tokenColumn}, 1, -1) AS token_match " .
         "FROM {$this->tableName} WHERE {$this->credentialColumn} = ? " .
         "AND {$this->persistentTokenColumn} = SHA1(?) LIMIT 1 ";
    $query = $this->db->prepare($q);
    $query->execute(array($token, $credential, $persistentToken));
    $result = $query->fetchColumn();

    if (!$result) {
        return self::TRIPLET_NOT_FOUND;
    } else if ($result == 1) {
        return self::TRIPLET_FOUND;
    } else {
        return self::TRIPLET_INVALID; }
    }

编辑

limit子句始终捕获其找到的第一行，因此我 总是不匹配现在我必须解决这个问题.

The limit clause always catches the first row it finds, therefore I always get a mismatch Now I have to fix this.

解决方案很简单.在插入带有新生成的令牌的新行之前，删除刚刚验证的条目.新行应包含您刚刚针对其进行验证的SAME persistenceToken.请记住，这仍然是不安全的，因此请在服务器端设置一个FLAG，使其成为cookielogin，并要求使用REAL LOGIN来处理重要数据.

The solution was simple. Delete the entry that was just validated before inserting a new row with the newly generated token. The new row should contain the SAME persistenceToken you just validated against. REMEMBER, this will still be UNSECURE, so set a FLAG on the serverside that this was a cookielogin, and require a REAL LOGIN for handling important data.

推荐答案

我认为您的if检查顺序错误:

I think your if checks are in the wrong order:

    if(!$result) {  return self::TRIPLET_NOT_FOUND;}
    elseif ($result == 1) {     return self::TRIPLET_FOUND;}
    else {  return self::TRIPLET_INVALID;}

在SQL中，1表示已找到，-1表示未找到，其他都将无效.但是在PHP中，-1将落入else子句并返回self::TRIPLET_INVALID，而无效结果将落入if(!$result)并返回self::TRIPLET_NOT_FOUND.

In the SQL, 1 means found, -1 means not found, and anything else would be invalid. But in the PHP, a -1 would fall into the else clause, and return self::TRIPLET_INVALID, whereas an invalid result would fall into if(!$result) and return self::TRIPLET_NOT_FOUND.

这篇关于奇怪的PDO行为的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！