1
因此,我正在创建一个登录系统,并且用户应该在超过24分钟内登录。这就是为什么我决定将会话存储在我的数据库中。
我用这个功能:(我建立我自己的SQL的连接 - > sqlConnectionConfig.php)
sessions.php文件(我发现php.net此代码。):在sql中存储会话(session_set_save_handler())
class session {
// session-lifetime
var $lifeTime;
// mysql-handle
var $dbHandle;
function open($savePath, $sessName) {
// get session-lifetime
$this->lifeTime = get_cfg_var("session.gc_maxlifetime");
// open database-connection
require_once '../sqlConnectionConfig.php';
$dbHandle = @mysql_connect($sqlHost,$sqlUser,$sqlPass);
$dbSel = @mysql_select_db($sqlDb,$dbHandle);
//return success
if(!$dbHandle || !$dbSel)
return false;
$this->dbHandle = $dbHandle;
return true;
}
function close() {
$this->gc(ini_get('session.gc_maxlifetime'));
// close database-connection
return @mysql_close($this->dbHandle);
}
function read($sessID) {
// fetch session-data
$res = mysql_query("SELECT session_data AS d FROM ws_sessions
WHERE session_id = '$sessID'
AND session_expires > ".time(),$this->dbHandle);
// return data or an empty string at failure
if($row = mysql_fetch_assoc($res))
return $row['d'];
return "";
}
function write($sessID,$sessData) {
// new session-expire-time
$newExp = time() + $this->lifeTime;
// is a session with this id in the database?
$res = mysql_query("SELECT * FROM ws_sessions
WHERE session_id = '$sessID'",$this->dbHandle);
// if yes,
if(mysql_num_rows($res)) {
// ...update session-data
mysql_query("UPDATE ws_sessions
SET session_expires = '$newExp',
session_data = '$sessData'
WHERE session_id = '$sessID'",$this->dbHandle);
// if something happened, return true
if(mysql_affected_rows($this->dbHandle))
return true;
}
// if no session-data was found,
else {
// create a new row
mysql_query("INSERT INTO ws_sessions (
session_id,
session_expires,
session_data)
VALUES(
'$sessID',
'$newExp',
'$sessData')",$this->dbHandle);
// if row was created, return true
if(mysql_affected_rows($this->dbHandle))
return true;
}
// an unknown error occured
return false;
}
function destroy($sessID) {
// delete session-data
mysql_query("DELETE FROM ws_sessions WHERE session_id = '$sessID'",$this->dbHandle);
// if session was deleted, return true,
if(mysql_affected_rows($this->dbHandle))
return true;
// ...else return false
return false;
}
function gc($sessMaxLifeTime) {
// delete old sessions
mysql_query("DELETE FROM ws_sessions WHERE session_expires < ".time(),$this->dbHandle);
// return affected rows
return mysql_affected_rows($this->dbHandle);
}
}
我的两个管理员/ index.php的和管理/ admin.php的文件具有相同的session_start():
ini_set("session.gc_maxlifetime", "18000");
require_once 'sessions.php';
$session = new session();
session_set_save_handler(array(&$session,"open"),
array(&$session,"close"),
array(&$session,"read"),
array(&$session,"write"),
array(&$session,"destroy"),
array(&$session,"gc"));
session_start();
在index.php包含表单,并经由柱发送登录数据以admin.php的。
问题是:它会在24分钟后注销。但我不知道为什么,My db成功存储会话。
这看起来像一个SQL注入漏洞,如果用户操纵session_id你是pwnd,那么在将它注入到SQL之前使用'$ var = mysql_real_escape_string($ var)'声明。 – Johan