惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
月光博客
月光博客
T
Threat Research - Cisco Blogs
小众软件
小众软件
有赞技术团队
有赞技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
Apple Machine Learning Research
Apple Machine Learning Research
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Tailwind CSS Blog
Cisco Talos Blog
Cisco Talos Blog
V
V2EX
博客园 - 【当耐特】
C
Cybersecurity and Infrastructure Security Agency CISA
Hugging Face - Blog
Hugging Face - Blog
The Cloudflare Blog
The Last Watchdog
The Last Watchdog
Simon Willison's Weblog
Simon Willison's Weblog
T
Threatpost
S
Secure Thoughts
O
OpenAI News
P
Proofpoint News Feed
S
SegmentFault 最新的问题
Forbes - Security
Forbes - Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Application and Cybersecurity Blog
Application and Cybersecurity Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Last Week in AI
Last Week in AI
宝玉的分享
宝玉的分享
Scott Helme
Scott Helme
T
Tenable Blog
A
Arctic Wolf
L
LINUX DO - 热门话题
爱范儿
爱范儿
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
www.infosecurity-magazine.com
www.infosecurity-magazine.com
V
Visual Studio Blog
Hacker News: Ask HN
Hacker News: Ask HN
Hacker News - Newest:
Hacker News - Newest: "LLM"
腾讯CDC
博客园 - Franky
WordPress大学
WordPress大学
Know Your Adversary
Know Your Adversary
博客园_首页
雷峰网
雷峰网
IT之家
IT之家
PCI Perspectives
PCI Perspectives
L
LINUX DO - 最新话题
H
Heimdal Security Blog

博客园 - 彭帅

周末开发的一个Google Wave类似的评论系统 CloudHosting平台Eucalyptus分析. Hadoop Ecosystem解决方案---数据仓库 关于HDFS数据Checksum hadoop MapReduce Job失效模型 - 彭帅 设计遐想---基于Google App Engine的IM 系统容灾备份选型的决策表 GAE技巧汇总 hadoop Map Stage流程分析 hadoop作业调度 - 源码分析 Internet级单点登录的数据管理(转) a CouchDB essentials 从网络上整理的google c++编程风格指南 网络编程套路杂记1 UserAgent的历史变迁 云计算-My Future, The IT's Future (转载)Hadoop常用SDK系列五 TotalOrderPartitioner OnlyXP盘点2008下半年的学习情况
A Viewstate for PHP
彭帅 · 2009-04-19 · via 博客园 - 彭帅

One of ASP.net’s most attractive features is the viewstate. It is a convienent way to store arbitrary data in a persistent mechanism. In fact, it’s rather like PHP’s $_SESSION array.

There is, however, one difference. $_SESSION is unique to a user but is reused across pages. With only one window to your website, the two preform the same function. But if a user has multiple tabs or windows, $_SESSION can change in between what would otherwise be two successive page loads.

The viewstate has two functions:

  1. Storing properties for controls and forms,
  2. Storing arbitrary data

The viewstate is responsible for ensuring a red label is still red (and doesn’t default back to black) between page loads. Controls and forms manage this transparently from the developer (excluding a non-obtrusive ViewState property on controls). There is also a viewstate on the page object. It will act like a dictionary, allowing you to save arbitrary data to it.

The viewstate is a magical thing, and it achieves that through indirection. It is what separates a browser form submission from a user actually preforming an action. Prado and Fortitude both duplicate this functionality in PHP.

For a full example, take a look at Fortitude Form’s code. But for today’s purposes, I just wanted to demonstrate how to create a simple viewstate in PHP.

<?php
if (array_key_exists ("viewstate", $_POST)) {
$viewstate = unserialize (base64_decode ($_POST["viewstate"]));
$viewstate->count++;
} else {
$viewstate = new stdObject;
$viewstate->count = 0;
}
?>
<html>
<body>
Page-load count: <?=$viewstate->count;?>
<form method="post" action="?">
<input type="hidden" value="<?=base64_encode(serialize($viewstate));?>" name="viewstate" />
<input type="submit" value="Increment" />
</form>
</body>
</html>

It preforms very similarily to $_SESSION. Although I used an object, it works just as well with an array. But it accomplishes a separate scope for each page. Frequently in PHP, pagination results are placed in $_SESSION, but that means only one set can be used at a time without butchering the rest. In a page scope, any manipulations can be done at will. And that exposes the real difference between the two: global things, like login operation or options, should be set in $_SESSION. Local, page-level or temporary things should be set in the page’s viewstate. Opening two or three or even one hundred twenty copies of that script will maintain that many instances of $viewstate->count. $_SESSION maintains only one.

Note that the security problems the ExtremeExperts article mentions are just as true with PHP as ASP.net. A manipulative user could set viewstate to a custom crafted value and disrupt the applications expectations. But that just means judicious amounts of validation are required before consuming viewstate on postbacks. Both ASP.net and PHP’s viewstate can be made secure.

posted on 2009-04-19 01:42  彭帅  阅读(1926)  评论()    收藏  举报