猿问

jsGrid:如何使用ajax将其他变量从脚本传递到 php

我正在为我的项目使用 jsGrid。在此处查看原始源代码

我想在 fetch 中传递一个额外的变量调用 $user_session 以用于 mysql 选择查询.php但失败了。以下是我一直在尝试的内容。


<script>


var user_session = "<?php echo $user_session; ?>"; //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


//......


 controller: {

  loadData: function(){

   return $.ajax({

    type: "GET",

    url: "fetch_data.php",

    data: {user_session:user_session} //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

   });

  },


 //......

这是回迁.php文件


<?php


if($method == 'GET')

{

 $user_session = $_GET['user_session']; //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


 $query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";

 $statement = $connect->prepare($query);

 $statement->execute($user_session); //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

 $result = $statement->fetchAll();

 foreach($result as $row)

 {

  $output[] = array(

   'id'    => $row['id'],   

   'first_name'  => $row['first_name'],

   'last_name'   => $row['last_name'],

   'age'    => $row['age'],

   'gender'   => $row['gender']

  );

 }

 header("Content-Type: application/json");

 echo json_encode($output);

}

//......

?>

正确的方法是什么?


慕码人8056858
浏览 114回答 3
3回答

慕田峪7331174

首先,任何人都可以在浏览器中打开开发控制台并开始模糊会话ID。当您正确准备查询,化解sql注入时,它并不能保护您免受IDOR的侵害,或者,我可以通过重复查询您的应用程序来枚举您的用户。如果您真的想在客户端传递会话ID,也许您可以考虑使用cookie,因为它不太容易被普通用户编辑。

梵蒂冈之花

我可以通过这种方式做到这一点。<script>//......&nbsp;controller: {&nbsp; loadData: function(filter){&nbsp; &nbsp; var user_session = "<?php echo $user_session; ?>"; //<<<<<<<<<<<<<<<<<<<<<<<<<<<&nbsp; &nbsp;return $.ajax({&nbsp; &nbsp; type: "GET",&nbsp; &nbsp; url: "fetch_data.php",&nbsp; &nbsp; data: {filter,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;user_session:user_session //<<<<<<<<<<<<<<<<<<<<<<<<<<<&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; },&nbsp; &nbsp;});&nbsp; },&nbsp;//......</script>在获取中.php我这样做。<?phpif($method == 'GET'){&nbsp;$user_session = $_GET['user_session'];//<<<<<<<<<<<<<<<<<<<<<<<<<<<&nbsp;$query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";&nbsp;$statement = $connect->prepare($query);&nbsp;$statement->execute([$user_session]); //<<<<<<<<<<<<<<<<<<<<<<<<<<<&nbsp;$result = $statement->fetchAll();&nbsp;foreach($result as $row)&nbsp;{&nbsp; $output[] = array(&nbsp; &nbsp;'id'&nbsp; &nbsp; => $row['id'],&nbsp; &nbsp;&nbsp; &nbsp;'first_name'&nbsp; => $row['first_name'],&nbsp; &nbsp;'last_name'&nbsp; &nbsp;=> $row['last_name'],&nbsp; &nbsp;'age'&nbsp; &nbsp; => $row['age'],&nbsp; &nbsp;'gender'&nbsp; &nbsp;=> $row['gender']&nbsp; );&nbsp;}&nbsp;header("Content-Type: application/json");&nbsp;echo json_encode($output);}//......?>

手掌心

最后,我找到了更好的方法。我可以直接在抓取.php内调用$user_会话。<?phprequire('user_session.php'); //<<<<<<<<<<<<<<<<<<<<<<<<<<<require('includes/db.php');$method = $_SERVER['REQUEST_METHOD'];if($method == 'GET'){&nbsp;$query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";&nbsp;$statement = $conn->prepare($query);&nbsp;$statement->execute([$user_session]); //<<<<<<<<<<<<<<<<<<<<<<<<<<<&nbsp;$result = $statement->fetchAll();&nbsp;foreach($result as $row)&nbsp;{&nbsp; $output[] = array(&nbsp; &nbsp;'ChildID'&nbsp; &nbsp; => $row['ChildID'],&nbsp; &nbsp;'Name'&nbsp; => $row['Name'],&nbsp; &nbsp;'BirthDate'&nbsp; &nbsp;=> $row['BirthDate'],&nbsp; &nbsp;'Gender'&nbsp; &nbsp;=> $row['Gender'],&nbsp; &nbsp;'StudyorWorking'&nbsp; &nbsp;=> $row['StudyorWorking'],&nbsp; &nbsp;'CourseorOccupation'&nbsp; &nbsp;=> $row['CourseorOccupation'],&nbsp; &nbsp;'Married'&nbsp; &nbsp;=> $row['Married']&nbsp; );&nbsp;}&nbsp;header("Content-Type: application/json");&nbsp;echo json_encode($output);}?>
随时随地看视频慕课网APP
我要回答