JavaScript 中的 PHP 会话变量
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10526435/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP Session Variable In JavaScript
提问by user1345650
How could I input php in this so when it has a correct password it stores the information as a cookie and then allow the deletion to it too.
我如何在其中输入 php,以便当它有正确的密码时,它将信息存储为 cookie,然后也允许删除它。
<SCRIPT language="JavaScript">
<!--hide
var password;
var pass1="password";
password=prompt('Please enter your password to view this page!',' ');
if (password==pass1){
alert('Password Correct! Click OK to enter!');}
else
{
window.location="//Some Location//";
}
//-->
</SCRIPT>
回答by Starx
If its simple enough (As per the title)
如果它足够简单(根据标题)
var varname = '<?php echo $_SESSION["variable_name"]; ?>';
But you have to seriously consider your logic. You are checking for authentication on javascript, which is going to be dumbestmove in a web application.
但是你必须认真考虑你的逻辑。您正在检查 javascript 上的身份验证,这将是Web 应用程序中最愚蠢的举动。
The password is totally exposed, and any one can view them or turn off the javascript as a whole, then your whole site becomes vulnerable.
密码是完全暴露的,任何人都可以查看它们或整体关闭 javascript,那么您的整个站点就会变得容易受到攻击。
My suggestion is an AJAX request to a PHP page which separately checks and verifies the password and then returns message to the Javascript.
我的建议是对 PHP 页面的 AJAX 请求,它单独检查和验证密码,然后将消息返回给 Javascript。
回答by jeroen
This is completely wrong:
这是完全错误的:
- You will have password displayed in the source code of the page and in the history of the browser for anybody to see. So even if they don't have the password, they can just check the source-code to get it.
- You need to protect the current page server-sideas anybody that disables javascript can open it now. An easy way to do that, would be to handle the login server-side and set a certain session variable for a successfully logged-in user. You can then check at the top of your page if that session variable is set.
- 您将在页面的源代码和浏览器的历史记录中显示密码,供任何人查看。因此,即使他们没有密码,他们也可以通过查看源代码来获取密码。
- 您需要保护当前页面服务器端,因为任何禁用 javascript 的人现在都可以打开它。一个简单的方法是处理登录服务器端并为成功登录的用户设置某个会话变量。然后,您可以在页面顶部检查该会话变量是否已设置。
