How can I check check that $_SESSION['text']
is indeed text and not some malicious .exe?
AND, if i do destroy_session(...) but set
$a = $_SESSION;
开发者_开发知识库
does $a become NULL now?
Why would you care? Are you planning to execute it? If a session field happens to contain binary data that could be executed, that doesn't mean it will be executed.
Even a text string can contain executable code; depending on how you execute it. It could contain "rm -rf *", and if you ran that with "exec", you'd be in trouble. No amount of filtering can guarantee that a string isn't executable in some language. The time to worry about that is when you're actually doing the executing, and using a variable as part of it.
As for your second question, if you've copied the array before destroying the session, your copy won't change even if the session changes. That's true of all PHP arrays.
Only you can set session variables since the session data is stored on the server side (usually in a file in a tmp directory). But this data is serialized with something similar to serialize
. So the actual file contents are probably not in an appropriate format to being executed. So you don’t need to worry that that file will be executed by mistake.
You can use is_string to know whether it's a valid string, and use a regexp such as preg_match ($_SESSION['text'], '[ a-z]+') but I do confirm what JW says.
To answer your 2nd question, no it will be an empty array.
Limit its length to the length you expect and sanitize it with addslashes()
before you send to a database.
Ora are you planning of sending it to a system call? Don't.
精彩评论