Question

如果输入验证在<代码>save_post上失败,那么,如果输入验证在save_post上失败,则只需在edit.php(1)至post.php(3)上保持格式输入,以便我的用户不必在edit.php(3)上重新填写表格,在edit.php>>>>>>>>>>>自post.php上未对. 通过这一隧道对数据进行调节有若干方法:




WordPress uses the querystring for its messages - aside from the common cons of querystrings for my purpose, I did not go this way as my $_POST vars may be too much for the querystring
the Transient API - nope, not this one either for (remotely possible) collision reasons
modify edit.php and post.php directly - unsustainable especially over updates. I could look for hooks for this if I can t find anything else
sessions,


among others.

我将不使用会议记录(因为I m使用语言压力,Ill Let WordPress就是这样做的)。通过鼓励网站,我在<代码>功能.php上插入以下内容:

/*
 * manage sessions
 */
// http://wblinks.com/notes/secure-session-management-tips
// http://devondev.com/2012/02/03/using-the-php-session-in-wordpress/
// http://en.wikipedia.org/wiki/Session_fixation
// http://www.php.net/manual/en/function.session-regenerate-id.php
if (is_admin()) add_action( init ,  empl_sesh_start , 1);
add_action( wp_login ,  empl_sesh_cleanup );
add_action( wp_logout ,  empl_sesh_cleanup );
function empl_sesh_start() {
    session_start();
    // check if loaded session is server-generated
    if (!isset($_SESSION[ IS_SERVER_TRUSTED ]))
        session_regenerate_id(true); // if not, regenerate id and clean-up previous session files
    // regenerate id for every request
    session_regenerate_id();
    $_SESSION[ IS_SERVER_TRUSTED ] = true; // set flag
}
// cleanup
function empl_sesh_cleanup() {
    session_start(); // needed for the rest of this function to work
    $_SESSION = array(); // cleanup session variables
    session_regenerate_id(true); // regenerate id and clean-up previous session files
    session_destroy();
}

I just need to know if I got it right. I m particularly concerned with

are the order and calls to the session statements correct?
are they necessary (in an effort to make the session less vulnerable as pointed out by the online articles)?

我也关切我读到什么不定的 co子及其复杂性——我是否需要这样做? 我不使用任何厨师,我只使用两场会议变量:

// persist form vars to next load
$_SESSION[ empl_form_inputs ][] = $_POST[ empl_age ];
    // more similar code here...
$_SESSION[ empl_form_inputs ][] = $_POST[ empl_id ];

// persist message array to next load
$_SESSION[ empl_messages ] = $empl_messages;

我把这个问题放在这里,而不是说话。

我最后放弃了整个届会的禁忌,并实施了交错处理(至少对我而言)的转站,第二次到期。感谢@Robbie

Answer 1

你们不需要会议的形式,甚至说话。

页: 1

Create values with default values
Create "empty" error conditions
If Post
- Populate "default" values from POST
- Sanitize values
- Validate Values
- If valid
- - Create action (e.g. put the values in DB)
- - Redirect to another page showing result/scucess message (prevents back button failure)
- If not valid
- - Poulate error conditions
Display form using values and error conditions.

如果你采用令人信服(多页形式)的办法,你就使用会议。这样,信道的形式就显示用户的出入和错误。

然而,为了回答你的问题,你的附加行动可能是你想要的,但职能是倒退的。

The init looks fine - ish (note comment on regenerating ID below)
The cleanup is risky as you will obliterate any other plugins that use sessions. Just delete your entries ( $_SESSION[ empl_form_inputs ] = array(); ) and move on
If you mess about with the sesson ID like that, you re going to totally screw over any other plugins that use sessions.
For "security" keep the same session ID, but track where it comes from and give it a time-out. So if session_id() = "ABC" has not been used for 10 minutes, or comes from a different user agent, then ignore those values you had and start again.

时间选择:

if ($_SESSION[ empl_form_expires ] > time()) {  // Also add user agent chack or something
    $_SESSION[ empl_form_inputs ] = array();  // Clear values
} else {
    $_SESSION[ empl_form_expires ] = time() + 600;  // Keep the time running
}

友情链接