带有我的 $_SESSION 数据的 PHP __PHP_Incomplete_Class 对象 [英] PHP __PHP_Incomplete_Class Object with my $_SESSION data
问题描述
我有一个站点设置,在页面加载时,将所有用户提交的字符串转换为 SafeString 对象.对于那些不熟悉 SafeString 的人来说,它基本上会强制用户回显经过消毒的数据,以防止 XSS 之类的......
I've got a site setup that, on page load, turns all user submitted strings into SafeString objects. For those unfamiliar with SafeString, it basically forces the user to echo out sanitized data preventing XSS and whatnot..
总之,有问题.我的 $_SESSION 数组被 __PHP_Incomplete_Class Object 填充.据我所知,这是因为没有在会话之前初始化类,然后在会话中存储类对象.
Anyways, there's a problem. My $_SESSION array is being filled with __PHP_Incomplete_Class Object. From what I've read, this is due to not initializing the class before the session and then storing class objects in the session.
这是我的代码:
require_once __WEBROOT__ . '/includes/safestring.class.php';
$temp = array
(
&$_SERVER, &$_GET, &$_POST, &$_COOKIE,
&$_SESSION, &$_ENV, &$_REQUEST, &$_FILES,
&$HTTP_SERVER_VARS, &$HTTP_GET_VARS,
&$HTTP_POST_VARS, &$HTTP_COOKIE_VARS,
&$HTTP_POST_FILES, &$HTTP_ENV_VARS
);
function StringsToSafeString(&$array)
{
foreach ($array as $key => $value)
{
if (is_string($array[$key]))
{
$array[$key] = new SafeString($value);
}
if (is_array($array[$key]))
{
StringsToSafeString($array[$key]);
}
}
}
StringsToSafeString($temp);
unset($temp);
我想不出重写这个来解决问题的方法:/
I can't think of a way to rewrite this which would solve the problem :/
有什么想法吗?
推荐答案
当您访问 $_SESSION 时,您不仅会更改从会话中读取的当前脚本的数据副本,您正在将 SafeString 对象写回到活动会话中.
When you're accessing $_SESSION, you're not just changing the current script's copy of the data read from the session, you're writing SafeString objects back into the active session.
但是在会话中放置自定义对象是狡猾的,我通常会尽量避免这种情况.为了能够做到这一点,你必须在调用 session_start 之前定义有问题的类;如果不这样做,PHP 的会话处理程序将不知道如何反序列化该类的实例,并且最终会得到 __PHP_Incomplete_Class 对象.
But putting custom objects in the session is dodgy and something I would generally try to avoid. To be able to do it you have to have defined the class in question before calling session_start; if you don't, PHP's session handler won't know how to deserialise the instances of that class, and you'll end up with the __PHP_Incomplete_Class Object.
因此请避免破坏会话.如果您必须采用这种方法,请将 $_SESSION 中的数据复制到本地 $mysession 数组中.但是,我不得不说,我认为 SafeString 的整个想法是危险且行不通的;我认为这种方法永远不会是无懈可击的.一串原始文本是否安全"与它的来源无关,它取决于您如何为目标上下文对其进行编码.
So avoid frobbing the session. If you must take this approach, make a copy of the data from $_SESSION into a local $mysession array. However, I have to say I think the whole idea of a SafeString is dangerous and unworkable; I don't think this approach is ever going to be watertight. Whether a string of raw text is ‘safe’ is nothing to do with where it came from, it is a property of how you encode it for the target context.
如果您从不同的来源(例如数据库或文件)获取另一个文本字符串,或者在脚本本身中计算,则它需要与来自用户的字符串完全相同的处理:它需要是 htmlspecialchars编辑.无论如何,您将不得不编写该逃逸;安全字符串对您一无所获.如果您需要将字符串发送到不同的目标格式,则需要不同的转义.
If you get another text string from a different source such as the database, or a file, or calculated within the script itself, it needs exactly the same handling as a string that came from the user: it needs to be htmlspecialcharsed. You're going to have to write that escape anyway; the safestring gains you nothing. If you need to send the string to a different destination format, you would need a different escape.
你不可能把所有的字符串处理问题都封装在一个方便的盒子里,然后再也不去想它们;这不是字符串的工作方式.
You cannot encapsulate all string processing problems into one handy box and never think about them again; that's just not how strings work.
这篇关于带有我的 $_SESSION 数据的 PHP __PHP_Incomplete_Class 对象的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
