0

我通过会话传递用户变量。它在 localhost 上运行良好,但一旦在 Web 服务器上它会做一些奇怪的事情。

登录后,会话变量正常工作......直到您单击大约三个页面,它突然变得POOF!

注意“ Welcome, jordan.”而不是“ Welcome, .”也是左上角。

会话功能:http: //imageshack.us/photo/my-images/32/loggedins.png/

会议 POOF! http://imageshack.us/photo/my-images/515/loggedinno.png/

登录/创建会话变量代码:

<?php
        include_once 'gtheader.php';
        if (!isset($_SESSION['user']))
        {
        if (isset($_POST['user']))
        {
        $user = sanitizeString($_POST['user']);
        $pass = sanitizeString($_POST['pass']);
        if (preg_match($txtMatch,$user))
        {
        if ($user == "" || $pass == "")
        {
        $error = "Please enter all required fields";
        }
        else
        {
        $query = "SELECT * FROM gtmembers WHERE user='$user'";
        $result = queryMysql($query);
        $rank = mysql_result($result, 0, 'rank');
        if (!mysql_num_rows($result))
        {
        $error = "Username does not exist.";
        }
        else
        {
        $getPass = mysql_result($result, 0, 'pass');
        $salt = substr($getPass, 0, 64);
        $hash = $salt . $pass;
        for ($i = 0; $i < 100000; $i++) 
        {
        $hash = hash('sha256', $hash);
        }
        $hash = $salt . $hash;
        if ($hash == $getPass)
        {
        if ($rank != "Banned")
        {
        $userLow = strtolower($user);
        $_SESSION['user'] = $userLow;
        $_SESSION['rank'] = $rank;
        echo <<<_END
        <script type="text/javascript">
        window.location.href='index.php';
        </script>
        _END;
        echo "Successfully logged in. Click <a href='index.php'>here</a> to continue.";
        }

标头代码:

        <?php //gtheader.php
        session_start();
        include_once 'gtfunctions.php';
        $loggedIn = FALSE;

        if (isset($_SESSION['user']))
        {
        $user = $_SESSION['user'];
        if ($user) echo "Current User: $user<br />";
        else echo "Current User: None<br />";
        $rank = $_SESSION['rank'];
        $loggedIn = TRUE;
        echo "is set SESSION['user']? Yes";
        }
        else echo "is set SESSION['user']? No";

        echo "<div id='header'><a class='header' href='index.php'> <h1 id='headerTitle'>$appname</h1></a>";
        if ($loggedIn == TRUE)
        {
        $query = "SELECT * FROM gtmessages WHERE recip='$user' AND status='0'";
        $result = queryMysql($query);
        if (mysql_num_rows($result) == 0) $num = "";
        else $num = "[".mysql_num_rows($result)."]";
        if ($rank == 'Owner' || $rank == 'Admin')
        {
        echo "Welcome, <a class='header' href='gtmembers.php?view=$user'>$user</a><a     class='header' href='gtmessage.php'>$num</a>. [<a class='header'     href='gtlogout.php'>Logout</a>] | <a class='header' href='gtadmin.php'>Admin</a><br />";
        }
        else
        {
        echo "Welcome, <a class='header' href='gtmembers.php?view=$user'>$user</a><a     class='header' href='gtmessage.php'>$num</a>. [<a class='header'     href='gtlogout.php'>Logout</a>]<br />";
        }
        }
?>
4

1 回答 1

1

即使数组为空,isset()也会为数组返回 true。

您应该改用!empty()

更新 还要确保将服务器配置为以相同的方式存储变量。

更新 2

    <?php
            error_reporting(E_ALL);
            ini_set("display_errors", 1); 
    include_once 'gtheader.php';
    if (empty($_SESSION['user'])){
        if (!empty($_POST['user'])){
            $user = sanitizeString($_POST['user']);
            $pass = sanitizeString($_POST['pass']);
            if (preg_match($txtMatch,$user)){
                if (empty($user) || empty($pass)){
                    $error = "Please enter all required fields";
                }else{
                    $query = "SELECT * FROM gtmembers WHERE user='".mysql_real_escape_string($user)."'";
                    $result = queryMysql($query);
                    $rank = mysql_result($result, 0, 'rank');
                }
            }
            if (!mysql_num_rows($result)){
                $error = "Username does not exist.";
            }else{
                $getPass = mysql_result($result, 0, 'pass');
                $salt = substr($getPass, 0, 64);
                $hash = $salt . $pass;
                for ($i = 0; $i < 100000; $i++){
                    $hash = hash('sha256', $hash);
                }
                $hash = $salt . $hash;
                if ($hash == $getPass){
                    if ($rank !== "Banned"){
                        $userLow = strtolower($user);
                        $_SESSION['user'] = $userLow;
                        $_SESSION['rank'] = $rank;
                        echo "<script type=\"text/javascript\">window.location.href='index.php';</script>";
                        echo "Successfully logged in. Click <a href='index.php'>here</a> to continue.";
                    }
                }
            }
        }
    }
    ?>

gtheader.php

    <?php //gtheader.php
    session_start();
            error_reporting(E_ALL);
            ini_set("display_errors", 1); 

            include_once 'gtfunctions.php';
            $loggedIn = FALSE;

            if(session_id() == "")
            {   session_start(); } 

            if(empty($_REQUEST['PHPSESSID'])){
                $session_id = session_id();
            } else {
                $session_id = $_REQUEST['PHPSESSID'];   
            }

            if (!empty($_SESSION['user'])){

                //This is not safe at all. Someone could change the user to %
                $user = $_SESSION['user'];

                    echo "Current User: $user<br />";
                //This is not safe either. Someone could change their rank to Admin.
                $rank = $_SESSION['rank'];

                $loggedIn = TRUE;
                echo "is set SESSION['user']? Yes";
            } else {
             $user = '';
             $rank = '';
             echo "is set SESSION['user']? No";
            }

            echo "<div id='header'><a class='header' href='index.php'> <h1 id='headerTitle'>$appname</h1></a>";
            if ($loggedIn == TRUE){
            //without filtering, someone could set the user to % which would return everyone from the DB.       
            $query = "SELECT * FROM gtmessages WHERE recip='".mysql_real_escape_string($user)."' AND status='0'";
            //This is not a standard function so we're assuming it's set in gtfunctions.php
            $result = queryMysql($query);
            //Here you're only checking if this is set, not how many
            if (empty(mysql_num_rows($result))){
                 $num = "";} else {
                     //If they trick your SQL statement into returning more than one...
                     $num = "[".mysql_num_rows($result)."]";
                 }
            if ($rank == 'Owner' || $rank == 'Admin')
            {
            echo "Welcome, <a class='header' href='gtmembers.php?view=$user'>$user</a><a class='header' href='gtmessage.php'>$num</a>. [<a class='header' href='gtlogout.php'>Logout</a>] | <a class='header' href='gtadmin.php'>Admin</a><br />";
            } else {
            echo "Welcome, <a class='header' href='gtmembers.php?view=$user'>$user</a><a     class='header' href='gtmessage.php'>$num</a>. [<a class='header'     href='gtlogout.php'>Logout</a>]<br />";
            }
       }
    ?>

您需要在 Firefox 中使用 Firebug 之类的东西来检查标头并查看它是否将 cookie 传递给您进行会话,或者会话是否仅存储在服务器端。此外,如果会话是通过 GET 变量传递的。

对用户提供的信息(如会话)存在很多盲目信任。有人可能会劫持会话或欺骗更高的用户名或等级。代码中没有检查用户等级是否设置正确。

我清理了 gtheader 下的一些 SQL 内容。再次对直接传递给 SQL 的东西盲目信任。如果执行查询的 SQL 用户对表具有写入权限,那么您可能会受到注入攻击。

于 2013-03-23T01:09:04.737 回答