开发者

Detect session/cookie variable in wordpress to prevent access to documents

问答 作者:

Hey guys, I've gotten as far as my code below, but I am trying to create an AJAX search form that is 'safe' on my wordpress blog, by detecting the session variable or a cookie or something

<?php
@session_start();

If (!array_key_exists(‘authed’, $_SESSION))
{
     include ‘not_authed.inc’;
     exit();
}

// go about your business.

?>

and i'm trying to add that to this:

<?php

function checkValues($value)
{
     // Use this function on all those values where you want to check for both sql injection and cross site scripting
     //Trim the value
     $value = trim($value);

    // Stripslashes
    if (get_magic_quotes_gpc()) {
        $value = stripslashes($value);
    }

     // Convert all &lt;, &gt; etc.开发者_开发百科 to normal html and then strip these
     $value = strtr($value,array_flip(get_html_translation_table(HTML_ENTITIES)));

     // Strip HTML Tags
     $value = strip_tags($value);

    // Quote the value
    $value = mysql_real_escape_string($value);
    return $value;

}   
mysql_connect ("mysql.*****.com", "****","$*****")  or die (mysql_error());
mysql_select_db ("***********");

$term = checkValues($_REQUEST['val']);
$term = mysql_real_escape_string($term);

$sql = mysql_query("select * FROM patient_db WHERE id_number = '$term'");


if($row = mysql_fetch_array($sql)) {
    echo "<img src=\"******\" class='leftfloat' border=0>";
    echo '<p>';
    echo '<br /> ID Number: '   .$row['id_number'];
    echo '<br /> Name: '        .$row['Name'];
    echo '<br /> Exp. Date: '   .$row['exp_date'];
    echo '<br /> DOB: '         .$row['dob'];
    echo '</p>';
    //echo "<a href='******' title='Printer Friendly Version' alt='Printer Friendly Version'><img src=\"*****\" class='rightfloat' border=0 height=33 width=33></a>";
} else {
    echo "<img src=\"*****\" height=50 width=50 class='leftfloat' border=0>";
    print "<h1>USER ID <br/>NOT FOUND</h1><br />";
    print "<strong>OOPS!! THIS COULD BE AN ERROR</strong><br />";
    print "<br />";
    print "<div>*****</div>";
}

?>

The problem you are going to have is that the AJAX request is a separate session / cookie as it is a completely different process not tied into to the browser.

So how do you go about authenticating someone? A Token of sorts. So you would create a hash, which would need to be stored in the database for the user, which can be regenerated upon login etc. Then you would use this token to validate that user and allow the AJAX submission to work.

Hopefully that gets the ball rolling for you. So in your AJAX push script you would just appened a variable to the GET or POST data called token and then check it on the receiving PHP script. There are other ways of doing it, this is just one that I know of :)

继续阅读:phpsecuritysessionsql

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9