在一个实习中,我正在跟着一本关于为购物车进行高级PHP安全会话的非常好的教程,这将为用户提供个人级别的定价(无论如何,这是目标)。
这是教程:
http://tutorial-resource.com/2011/10/a-secure-session-management-class-in-php/
首先,我创建了一个原始登录,用于检查基于Quickbooks客户ID的现有客户,以用于测试此会话。真正的交易使用注册,登录和密码。然后我做了一个登录检查器,在mysql数据库中查找用户,并在找到时检索需要与用户一页接一页的用户数据列。 (我承诺我会进一步防止SQL注入后,我得到这个工作。)我添加了一些额外的字段存储在SessionData中。
include "class.session.php";
if(empty($_POST['customer_id']))
{
$this->HandleError("Customer ID is empty!");
return false;
}
$customer_id = trim($_POST['customer_id']);
$dbuser = "CENSORED";
$dbpass = "CENSORED";
$host = "localhost";
$dbname = "CENSORED";
// database connection
mysql_connect("localhost", $dbuser, $dbpass) or die(mysql_error());
mysql_select_db($dbname) or die("Unable to select database");
//This query grabs all the puchases going back up to three months
//This debug line displays the query
$query = "SELECT * FROM customers";
echo $query."
";
$found = 0;
$result = mysql_query($query);
while($row=mysql_fetch_array($result))
{
//Grab the database pieces the customer will need throughout the page.
echo "Checking customer number ".$row['customer_id']."
";
if ($row['customer_id'] == $customer_id)
{
$found = 1;
break;
}
}
//-create while loop and loop through result set
if ($found == 0)
{
echo 'Wrong customer number';
}
while($row=mysql_fetch_array($result))
{
//Grab the database pieces the customer will need throughout the page.
$customer_id = $row['customer_id'];
$first_name = $row['first_name'];
$last_name = $row['last_name'];
$first_name = $row['price_level'];
}
//Give the user a session.
$sessions = new sessionsClass;
$sessions->_sessionStart();
$sessionInfo = $sessions->sessionCheck();
if( $sessionInfo = false )
{
# This session is invalid. Tell the user.
}
else
{
# Update the name.
$sessionInfo->sessionData['customer_id'] = $customer_id;
$sessionInfo->sessionData['company_name'] = $company_name;
$sessionInfo->sessionData['first_name'] = $first_name;
$sessionInfo->sessionData['last_name'] = $last_name;
$sessionInfo->sessionData['price_level'] = $price_level;
$sessionInfo->setSessionData();
# Session is valid, can use the data.
echo "Your name is ".$sessionInfo->sessionData['first_name']." ".$sessionInfo->sessionData['last_name']."
";
}
?>成功登录后,我在error_log中看到一个错误
“明确函数存在时,调用未定义方法stdClass :: setSessionData()”,直接从教程中获得:
$ sessionInfo-> setSessionData();
为什么登录无法将setSessionData识别为未定义的方法而不是函数?
我不完全理解的一个线索是,它将setSessionData作为“未定义的方法stdClass”而不是“未定义的函数”。该函数与教程非常相似,只是它连接到我的db:
public function setSessionData()
{
$dbuser = "CENSORED";
$dbpass = "CENSORED";
$host = "localhost";
$dbname = "CENSORED";
// database connection
mysql_connect("localhost", $dbuser, $dbpass) or die(mysql_error());
mysql_select_db($dbname) or die("Unable to select database");
//Encrypt the data.
$serialiseData = serialize( $this->sessionData );
//Update the session data.
mysql_query( "UPDATE sessions SET sessionData = '{$serialiseData}' WHERE sessionHash = '{$this->sessionHash}'" );
}我的最后一个问题是,每个单独的页面都需要什么来安全地区分普通用户和登录用户,而不管网页是什么?是这样的吗?
if (sessionCheck == false)
{show ordinary stuff}
else if (sessionCheck == return true)
{show personalized stuff}编辑本教程似乎有一些问题毕竟。例如,接近教程的结尾。
# Session is valid, can use the data.
echo "Your name is " . $sessionInfo->sessionData['fullname'];
# Update the name.
$sessionInfo->sessionData['fullname'] = "My New name";
$sessionInfo->setSessionData();
}这是错误的,因为sessionInfo是一个布尔值,意味着返回true为false。相反,我用这个替换了它
$sessions->sessionData['customer_id'] = $customer_id;
$sessions->sessionData['company_name'] = $company_name;
$sessions->sessionData['first_name'] = $first_name;
$sessions->sessionData['last_name'] = $last_name;
$sessions->sessionData['price_level'] = $price_level;
$sessions->setSessionData();但是这仍然没有成功。另外,本教程还创建了一个完整的MySQL数据库,但是在课程或教程中的任何地方都不会发生单个INSERT。已有会话的UPDATE查询功能在那里,但没有创建新功能的功能。我可以添加什么来让数据库成功创建会话?