我正在開發一個會話管理類,它涉及登錄和mySQL。 php文檔說當session_start()
被調用時或會話自動啓動時調用read()
方法。何時「自動啓動」? open()
方法和read()
之間的區別是什麼?PHP - session_set_save_handler()的read()函數何時被調用?
我有這個代碼片段,如果它有幫助,並想知道在哪裏session_start()
屬於,或者它是好的地方。 (整個代碼沒有按照我想要的方式工作,每次重置會話,我不知道爲什麼。)
public function __construct($conn) {
$this->conn = $conn;
# Set up the handler
session_set_save_handler(
array($this, '_session_open_method'),
array($this, '_session_close_method'),
array($this, '_session_read_method'),
array($this, '_session_write_method'),
array($this, '_session_destroy_method'),
array($this, '_session_gc_method')
);
# Check the cookie passed - if one is - if it looks wrong we'll
# scrub it right away
$strUserAgent = $_SERVER["HTTP_USER_AGENT"];
if (isset($_COOKIE["PHPSESSID"])) {
# Security and age check
$this -> php_session_id = $_COOKIE["PHPSESSID"];
#$stmt = "select id from http_session where ascii_session_id = '" . $this->php_session_id . "' AND ((now() - created) < " . $strUserAgent .$this->session_lifespan . " seconds) AND user_agent='" . "' AND ((now() - last_impression) <= '".$this->session_timeout." seconds' OR last_impression IS NULL)";
#$stmt = "SELECT id FROM http_session WHERE ascii_session_id = '" . $this->php_session_id . "' AND ((now() - created) < '" ./*$strUserAgent .*/$this->session_lifespan . "') AND user_agent = '" . $strUserAgent . "' AND ((now() - last_impression) <= '".$this->session_timeout . "' OR last_impression IS NULL)";
$stmt = "SELECT id FROM http_session WHERE ascii_session_id = '" . $this->php_session_id . "' AND ((now() - created) < " ./*$strUserAgent .*/$this->session_lifespan . ") AND user_agent = '" . $strUserAgent . "' AND ((now() - last_impression) <= ".$this->session_timeout . " OR last_impression IS NULL)"
;
//echo $stmt;
$result = $this -> conn -> query($stmt);
if (!$result -> fetchColumn()) {
# Set failed flag
$failed = 1;
# Delete from database - we do garbage cleanup at the same time
$maxlifetime = $this -> session_lifespan;
$result = $this -> conn -> query("DELETE FROM http_session WHERE (ascii_session_id = '" . $this -> php_session_id . "') OR (now() - created > '$maxlifetime seconds')");
#print '<br/>';
#var_dump($result->rowCount());
# Clean up stray session variables
//$result = $this -> conn -> query("DELETE FROM session_variable WHERE session_id NOT IN (SELECT id FROM http_session)");
# Get rid of this one... this will force PHP to give us another
unset($_COOKIE["PHPSESSID"]);
}
}
# Call the session_start method to get things started
# Set the life time for the cookie
session_set_cookie_params($this->session_lifespan);
session_start();
}
提前致謝!
編輯:
是的,我知道一個SQL注入可以通過會話標識符,但現在不是我的重點。謝謝Loz!
此代碼實際上來自一本書,專業PHP6。
您知道可以將'$ _SERVER [「HTTP_USER_AGENT」]'設置爲sql注入值嗎? –
確保在編寫自己的會話處理程序時考慮併發性。 – goat
@rambo如何以及爲什麼如此?爲什麼? – jasonszhao