会话和cookie通常被视为输入吗?
我认为 $_GET 和 $_POST 是用 PHP 编写的 Web 应用程序中的输入。这是因为它们包含用户可以定义并且随 HTTP 请求“附带”的值。但是session和cookie是一样的吗?
当我阅读维基百科 PHP 意大利语页面时,我想到了这个问题,该页面说常见输入是 $_GET、$_POST 和 $_SESSION。
I consider $_GET and $_POST to be input in a web application written in PHP. That's because they contain values that the user can define and that "comes" along with the HTTP request. But are sessions and cookies the same?
This question came to me when I was reading the wikipedia PHP italian page that says that common inputs are $_GET, $_POST and $_SESSION.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
如果对于输入,您的意思是“请求中出现的所有内容”(因此,需要验证的内容等),则应包括:
$_POST,$_GET)$_COOKIE)$_SERVER["REQUEST_URI"])$_SERVER["REQUEST_METHOD"])$_SERVER["HTTP_"*]中)会话是一种特殊情况,因为所有会话变量都是存储在服务器端,即用户无法像使用 cookie 那样修改它们。无论如何,客户端会保存一个 cookie 来存储会话 ID,用户可以将其重置/设置为自定义值。
更新 - 关于
$_REQUEST如前所述,在 PHP 中您还可以访问
$_REQUEST,它是来自$_GET的变量的组合,$_POST,$_COOKIE。$_REQUEST的具体内容由php.ini中的request_order指令确定。If for input you mean "all the things coming in the request" (so, things that need validation, etc.), you should include:
$_POST,$_GET)$_COOKIE)$_SERVER["REQUEST_URI"])$_SERVER["REQUEST_METHOD"])$_SERVER["HTTP_"*])The session is a special case since all the session variables are stored on the server-side, i.e. the user cannot modify them as it would with cookies. Anyways, a single cookie is saved on the client-side to store the session ID, that can be reset / set to a custom value by the user.
Update - about
$_REQUESTAs pointed out, in PHP you also have access to
$_REQUEST, that is a mix of variables from$_GET,$_POST,$_COOKIE.The exact content of
$_REQUESTis determined by therequest_orderdirective inphp.ini.$_SESSION仅包含您自己放在那里的内容。但是,$_COOKIE应与$_GET、$_POST一起被视为不受信任的用户输入。我能想到的交叉点是最终用户尝试通过
$_COOKIE提供精心设计的PHPSESSID,以期获得对其他用户会话的访问权限。除非您直接将其他输入
($_GET, $_POST, $_COOKIE)存储到$_SESSION中,否则它是可信的。$_SESSIONonly contains what you yourself put there.$_COOKIE, however, should be considered untrusted user input along with$_GET, $_POST.The one point of crossover I can think of is an end user attempting to supply a crafted
PHPSESSIDvia$_COOKIEin hopes of gaining access to another user's session.Unless you directly store other input
($_GET, $_POST, $_COOKIE)into$_SESSION, it can be trusted.会话数据不能由用户直接输入,除非您在应用程序中的某个位置创建了此功能;例如:
如果您的应用程序确实具有与此类似的功能,或者您不确定;在将数据打印到页面或在 SQL 语句中使用它之前,我仍然会过滤/清理您的数据。安全总比后悔好。
然而,cookie 数据可以轻松更改,并被视为直接输入。
Session data can't be directly input by the user unless you have created this functionality within your application somewhere; such as:
If your application does have functionality similar to this, or if you aren't sure; I would still filter/sanitize your data becore printing it to the page or using it in a SQL statement. Its better to be safe than sorry.
However, cookie data can be altered easily and is considered direct INPUT.
php 有一个名为 $_REQUEST 的全局变量 *默认情况下包含 $_GET、$_POST 和 $_COOKIE 内容的关联数组*
$_REQUEST 中的变量通过 GET、POST 和 COOKIE 输入机制提供给脚本,因此可以由远程用户修改并且不可信。
$_REQUEST 中定义的值由用户在浏览器中定义。
$_SESSION 中的变量不能由浏览器修改。它们仅由php修改,一般可以认为是可信的。
php has a global variable called $_REQUEST *An associative array that by default contains the contents of $_GET, $_POST and $_COOKIE*
The variables in $_REQUEST are provided to the script via the GET, POST, and COOKIE input mechanisms and therefore could be modified by the remote user and cannot be trusted.
The values defined in $_REQUEST are defined by the user, in the browser.
Variables in $_SESSION can't be modified by the browser. They are only modified by php, and generally they can be considered trusted.