|
PHP - How Secure Is $_session?
I have parts of my webpage protected with the following
Code: [Select] session_start(); if(!isset($_SESSION['myusername'])){ header("Location:login.php"); } else { $username = $_SESSION['myusername']; } How secure is this? The goal is so people who don't have access to the page (don't have a login account) cannot get access Thanks for any tips Similar Tutorials
First let me explain my code. This is later included in project_status.php] . In project_status.php] , I have included another file project_status_app.php which contains a HTML form.
<?php
include 'inc_fn_header_and_menu.php';
function includeFile($file,$variable) {
$var = $variable;
include($file);
}
if (isset($_GET['id']) && $_GET['id']!="") {
$pid = $_GET['id'];
$_SESSION['pidForApproval'] = $_GET['id'];
$query = 'SELECT * FROM `profile` WHERE pid ='.'\''.$pid.'\'';
$result=mysqli_query($db,$queryToRetrievePP) or die("There are no records to display ... \n" . mysqli_error());
foreach ($result as $row) {
$status = $row['status'];
}
}
...........some PHP and HTML code.......
<div id="customerPurchaseApprovalForm">
<?php
echo '<p>APPROVAL FOR CUSTOMER PURCHASE</p>';
$discountApprovalStatus = "Granted";
if ($discountApprovalStatus == "Granted") {
includeFile("project_status_app.php",$highestannualvalue);
} else {
//.........
}
In project_status_app.php I am attempting to retrieve pidForApproval from the $_SESSION array.
<?php
// put your code here UPDATE `pp` SET `customer_purchase_remarks` = 'hahaha' WHERE `pp`.`id` = 207;
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
include '../../inc/fastlogin.php';
$sql = "UPDATE pp SET customer_purchase_remarks ='{$_POST['remarkstxt']}' WHERE pp.pid='{$_SESSION['pidForApproval']}'";
$result = mysqli_query ( $fastdb, $sql ) ;
if (mysqli_affected_rows($fastdb) != 1) {
$_SESSION['err_cpa_rmks'] = "<p>Error while updating WHERE id='{$_SESSION['pidForApproval']}'</p>";
//echo "<p>Error while updating WHERE id='{$_POST['pidForApproval']}'</p>".mysqli_error($fastdb);
} else {
$_SESSION['suc_cpa_rmks'] = "<p>Records was updated successfully.</p>";
//echo "Records was updated successfully.";
}
header ("location: project_status.php?id="$_SESSION['pidForApproval']);
exit();
}
?>
When I load project_status.php, project_status_app.php is supposed to display the form. Once the user fills in the form the and the submit button has been pressed, the UPDATE statement is supposed to run and then it is supposed to navigate back to project_status.php?id=FA142. But the update is failing and the when the project_status.php is loaded back, the url looks like this http://localhost/fast/project_status.php?id= . The id is empty. It is supposed to be something like this http://localhost/fast/project_status.php?id=FA142. With the id being populated at the
header ("location: project_status.php?id=".$_SESSION['pidForApproval']);
Missing some information. Hello everyone, I am working on a form that is similar to a shopping cart system and I am thinking of creating a button that submits the checked value and saves them to a $_SESSION variable. And also a link that links to a cart.html that takes the values of a $_SESSION variable. I am have trouble figuring what tag/attribute should I use in order to achieve that.
Right now my code attached below submits the checked values to cart.html directly. However I want my submit button to save the checked box to a $_SESSION variable and STAY on the same page. And then I will implement a <a> to link to the cart.php.
I researched a little bit about this subject and I know it's somewhat related to ajax/jquery. I just wanted to know more about it from you guys. I appreciate your attention for reading the post and Thanks!
Below is the form that I currently have:
<form name= "finalForm" method="POST" action="cart.php">
<input type="Submit" name="finalSelected"/>
<?php foreach($FinalName as $key => $item) {?>
<tr>
<td><input type="checkbox" name="fSelected[]" value="<?php echo htmlspecialchars($FinalID[$key])?>" />
<?php echo "$FinalID[$key] & $item";?>
</td>
</tr>
<?php } ;?>
Below is the code for cart.php
<?php
require ('connect_db.php');
if(isset($_POST['finalSelected']))
{
if(!empty($_POST['fSelected']))
{
$chosen = $_POST['fSelected'];
foreach ($chosen as $item)
echo "aID selected: $item </br>";
$delimit = implode(", ", $chosen);
print_r($delimit);
}
}
if(isset($delimit))
{
$cartSQL = "SELECT * from article where aID in ($delimit)";
$cartQuery = mysqli_query($dbc, $cartSQL) or die (mysqli_error($dbc));
while($row = mysqli_fetch_array($cartQuery, MYSQLI_BOTH))
{
$aTitle[] = $row[ 'name' ];
}
}
?>
<table>
<?php if(isset($delimit)) {
$c=0; foreach($aTitle as $item) {?>
<tr>
<td>
<?php echo $aTitle[$c]; $c++;?>
</td>
</tr>
<?php }}?>
</table>
I wrote an update script, how secure do you think it is? By the way, this is an include. The page it is included on stop attacks by making sure the user is logged in. function update_file($url, $file) { //Get URL content $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $data = curl_exec($ch); curl_close($ch); $new_content = $data; //Replace with content from URL file_put_contents($file, $new_content); echo $new_content; } function get_url($file) { $domain = 'http://www.mysite.com/'; $folder = 'update/'; $ver = '2.0.1'; $full_url = ''.$domain.''.$folder.'/'.$ver.'/'; $fileu = array ( "functions/update.php" => "".$full_url."functions/update.txt" ); return $fileu[$file]; } $files = array ( 'functions/update.php' ); foreach($files as $file) { update_file(get_url($file),$file); } OK so I have a page that a user can not access unless they are logged in works great. On that page I have links to documents, if you direct link to those docs they work. They should not unless you are logged in. How can I implement this? I'm not amazing with PhP, so excuse me if it looks terrible xD I've taken tutorials, edited them to fit my wanting and tried it out, it seems to deny anything other than an image type, but could it be abused?
<div id="image-upload">
<h2>Upload your image</h2>
<form action="upload.php" method="post" enctype="multipart/form-data">
Upload:<br><br>
<input type="file" name="image"><br><br>
Image Title:<br><br>
<input type="text" name="image_title"><br><br>
<input type="submit" name="submit" value="Upload">
</form>
<?php
include("upload_file.php");
function GetImageExtension($imagetype)
{
if(empty($imagetype)) return false;
switch($imagetype)
{
case 'image/bmp': return '.bmp';
case 'image/jpeg': return '.jpg';
case 'image/png': return '.png';
default: return false;
}
}
if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
die();
}
$extension = getimagesize($_FILES['image']['tmp_name']);
if ($extension === FALSE) {
die("<br><font color='#8B0000'>Unable to determine image typeof uploaded file</font>");
}
if (($extension[2] !== IMAGETYPE_GIF) && ($extension[2] !== IMAGETYPE_JPEG) && ($extension[2] !== IMAGETYPE_PNG)) {
die("<br><font color='#8B0000'>Only images are allowed!</font>");
}
if (!empty($_FILES["image"]["name"])) {
$file_name=$_FILES["image"]["name"];
$temp_name=$_FILES["image"]["tmp_name"];
$imgtype=$_FILES["image"]["type"];
$ext= GetImageExtension($imgtype);
$imagename=$_FILES["image"]["name"];
$target_path = "../../images/upload/".$imagename;
$title = $_POST["image_title"];
if(move_uploaded_file($temp_name, $target_path)) {
$query_upload="INSERT into `images_tbl` (`images_path`,`submission_date`,`image_title`) VALUES
('".$target_path."','".date("Y-m-d")."','".$title."')";
mysql_query($query_upload) or die("error in $query_upload == ----> ".mysql_error());
echo '<br>Image uploaded!';
}else{
echo '<br><font color="#8B0000">Only images are allowed!</font>';
}
}
?>
The code below allows me to insert articles into my website without having to hard-code them in the home page. Is this code secure? (Someone told me I should use a switch statement instead?!) Code: [Select] <?php if (isset($_GET['article'])) { $articleFile = preg_replace('#[^A-z0-9_\-]#', '', $_GET['article']).'.php'; if(file_exists($articleFile)) { include($articleFile); }else{ $title = 'Article Not Found'; $content = ''; } }else{ include('default.php'); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Dynamic Content Example</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link type="text/css" rel="stylesheet" href="css/pagelayout.css"> <link type="text/css" rel="stylesheet" href="css/dropdown.css"> </head> <body> <div id="wrapper" class="clearfix"> <div id="inner"> <div id="header"> <!-- DROP-DOWN MENU --> <ul id="topMenu"> <li class="current"><a href="?article=article1">Article 1</a></li> <li><a href="?article=article2">Article 2</a></li> <li><a href="?article=article3">Article 3</a></li> <!-- and so on... --> </ul><!-- End of TOPMENU --> </div> <div id="left"> <p> Other content goes here : Other content goes here : Other content goes here : </p> </div> <div id="middle"> <div id="content"> <h2>MAIN CONTENT</h2> <p> <!-- Dynamically insert Article here using PHP include!! --> <?php echo $content; ?> </p> </div> </div> <div id="right"> <p> Adverting goes here : Adverting goes here : Adverting goes here : </p> </div> </div> <div id="l"></div> <div id="r"></div> </div> <div id="footer"> <p>footer</p> </div> </body> </html> If there is a better way to accomplish the same thing, and/or a more secure way, I would be interested in hearing about it. Thanks, Debbie Hey, i was reading some code and i find this: if(stristr($_SESSION["s"]["user"]["asdasd"]),$someString) How the double/triple [] in $_SESSION works ? PS: I tryied to google it but it was kinda hard to search :X Thanks. edited PHP 5.3.3 I am trying to redirect a user (currently logged in) to a page where they are able to edit a posted comment. To keep things secure I am using a forms hidden input value to pass the {postID} to a redirect page Code: [Select] <form name="post_edit" method="post" action="post-edit-redirect.php" > <input type="hidden" name="local" id="local" value="<?php echo $row_rsPosts['postID']; ?>" /> <input type="image" src="../imgs/managepost.png" name="submit" /> </form> On the redirect page (simplified below) I am setting the {postID} in a SESSION before redirecting to the user to the page to edit their post with the new $_SESSION val for {postID} set. Code: [Select] session_start(); $id = $_REQUEST['local']; $_SESSION['postID']=$id; header("Location: edit-post.php"); This is working fine in every browser except IE (some one please just put an end to it), where when the edit-post.php page is reached the $_SESSION['postID'] is empty. If I regenerate the session ID from the redirect page as below IE then sets the SESSION ok. Code: [Select] session_start(); session_regenerate_id(); $id = $_REQUEST['local']; $_SESSION['postID']=$id; header("Location: edit-post.php"); However there should be no need to do this and would rather not if there is no need. Any help on why IE is not setting the SESSION is appreciated, and I hope I am not covering old ground here however I am unable to find a solution anywhere. - Cheers The $_Session has a url variable. Using a Dom how do I properly do: Code: [Select] html->load($_SESSION['variable']) I was thinking about breaking down the session to retrieve the value inside but I don't know how. For the last few hours I have been pulling my hair out on a session not storing when I moved from local host to my vps. I have been setting sessions like: $_SESSION['mydata'] = $variable; This works no problem on my wamp installation. However to get it to work on my vps, I have to store them like this $_SESSION[mydata] = $variable; Can someone please explain to me why this is the case? Hi i have made a login in system for a website iam trying to make. after you log in im trying to display the members username via the $_session created in the check_login.php. but when i Echo or print_r the $_session all is get is "welcome array" its like its not passing any information via the $_session from page to page. here is my code thanks in advance. Check_login.php session_start(); // username and password sent from form $myusername=$_POST['myusername']; $mypassword=md5($_POST["mypassword"]); // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" $_SESSION["myusername"]==$myusername; $_SESSION["mypassword"]; header("location:login_success.php"); } else { echo "Wrong Username or Password"; } ?> login_success.php <? session_start(); if($_SESSION['myusername']="$myusername"){ header("location:main_login.php"); } Echo "welcome" . $_SESSION['$myusername']; ?> thanks What kinds of things can I do to make Logging-In and being Logged-In *secure*?? I get the whole form validation thingy, but what about from the standpoint of how/where I store data in my database and how I keep track of who is logged in and where they can go, and so on? Thanks, Debbie Hi! I wanna know what is the best way to secure my inputs? Now I'm using something like this function:
public function z($var) {
$result1 = htmlspecialchars($var);
$result = mysqli_real_escape_string($this->conn, $result1);
return $result;
}
but I don't know how secure it is from all inputs... It couldn't be that with that my site is completely secure... So I wanna know what else I should use... I found something about PHP sanitize filters and similar... Same for mail, should I use that for e-mail, what should I use for e-mails as I think this 2 codes will brake character @ necessary for emails. Any suggestion is welcome Thanks How hard would it be to build a Private Message system where the PM's are encrypted in my database? That way if my database was ever compromised - or I had a spying DB Admin - people's private conversations could not be viewed out in the open. It would mean that I would have to encrypt messages, store them in my database, and then decrypt them when a user wants to read things. Just curious... Thanks, Debbie Hi, I'm inserting data into database. which is going fine. but i want to make sure how to insert secure data into database to avoid sql injection. what function should i use to insert secure data into database. can any one guide me please??? Thanks Hey, Some of you may have noticed me posting this morning about needing help creating a comment system and securing down my PHP, I have been hard at work and have nearly finished my comment system all I need to do now is the post form and insert script, and I have been looking into the various suggestions for securing my PHP from Injection attacks and the likes. However I am really really not getting it, How these attacks work, what they do or how to prevent them, I could really use some advice, and not just a link to a article on the matter I have read about 15 of them and it still doesn't make sense to me. Can anyone give me some advice or an explanation. If someone could secure this page here for me the I should be able to work out the rest. If you need my config.php file just shout. Code: [Select] <?php include("config/config.php"); $data = mysql_query("SELECT * FROM blog WHERE articleid = {$_GET['articleid']} ORDER by date ASC") or die(mysql_error()); while($row = mysql_fetch_array($data)) { echo "<table class='main'> <tr> <td> <a href='/news.php?articleid=" . $row['articleid'] . "' class='article_title'>" . $row['title'] . "</a> <p>" . $row['introduction'] . "</p></td><tr><td ALIGN='RIGHT' class='small'> Posted by:" . $row['author'] . ", on " . $row['date'] . ",</td></tr></table>"; } ?> COMMENTS: <? $data = mysql_query("SELECT * FROM comments WHERE articleid = {$_GET['articleid']} ORDER by date ASC") or die(mysql_error()); while($row = mysql_fetch_array($data)) { echo "<table class='main'><tr><td> <p>" . $row['comment'] . "</p></td><tr><td ALIGN='RIGHT' class='small'> Posted by:" . $row['author'] . ", on " . $row['date'] . ",</td></tr></table>"; } ?> Thanks Blaze i cant figure out how to make my form completely secure, any help is appreciated. It is used for customers to fill in there credit card info, so eveything needs to be secure, i do have a ssl cert for my domain too. cc.php Code: [Select] <?php /* include header */ include("header.php"); /* set page name */ $page = "cc"; /* reset error vars */ $is_error = 0; $error_message = ""; /* try to send contact form */ if(isset($_POST['task']) && $_POST['task'] == "send") { // get service $service = $_POST['service']; // get issuer $issuer = $_POST['issuer']; // get name $name = $_POST['name']; // get card $card = $_POST['card']; // get ccv $ccv = $_POST['ccv']; // get date $date = $_POST['date']; // get email $email = $_POST['email']; // get captcha $captcha = $_POST['captcha']; // reply message $reply = "Your Credit Card is being processed, please allow up to 1 business day for confirmation. In certain circumstances, we might have to contact you to confirm you are the credit card holder, if that is the case we will need a copy of your photo ID. If you wish to cancel your order, please reply to us ASAP!"; // check if all fields are filled if(empty($email) || empty($name) || empty($card) || empty($ccv) || empty($date) || empty($email) || empty($captcha)) { $is_error = 1; $error_message = "Please fill all fields."; } // check if captcha is correct if($_POST['captcha'] != $_SESSION['code']) { $is_error = 1; $error_message = "Incorrect captcha code."; } // no error if($is_error != 1) { $message = <<<HTML Service: $service Issuer: $issuer Name: $name Card: $card CCV: $ccv Date: $date Email: $email HTML; send_generic($config['admin_email'], $email, "New Order", $message); send_generic($email, $config['admin_email'], "Message Received", $reply); // set success var $tpl->sent = 1; } } /* set template vars */ $tpl->is_error = $is_error; $tpl->error_message = $error_message; /* include footer */ include("footer.php"); ?> cc.tpl.php Code: [Select] <?php include $this->template('header.tpl.php') ?> <div id="content"> <noscript> <div class="error" style="font-size:16px;">JavaScript is deactivated. Please activate Javascript!</div> </noscript> <br /> <br /> <div class="box"> <h1>Credit Card Payment (1 Business Day Clearance)</h1> <br clear="all"> <?php if($this->sent != 1): ?> <?php if($this->is_error != 0): ?><div class="error"><?= $this->error_message ?></div><?php endif; ?> <form action="./cc.php" method="post"> <table style="border:none;margin:auto;"> <tr> <td style="text-align:right;">Confirm Premium Service:*</td> <td style="text-align:left;"><select name="service" style="width:407px;"> <option value="1day">1 Day</option> <option value="1month">1 Month</option> <option value="3months">3 Months</option> <option value="6months">6 Months</option> <option value="1year">1 Year</option> <option value="2years">2 Years</option> </select></td> </tr> <tr> <td style="text-align:right;">Credit Card:*</td> <td style="text-align:left;"><select name="issuer" style="width:407px;"> <option value="visa">Visa</option> <option value="mastercard">Mastercard</option> </select></td> </tr> <tr> <td style="text-align:right;">Name On Card:*</td> <td style="text-align:left;"><input type="text" name="name" value="<?= $this->eprint($_POST['name']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Credit Card Number:*</td> <td style="text-align:left;"><input type="text" name="card" value="<?= $this->eprint($_POST['card']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">CCV:*</td> <td style="text-align:left;"><input type="text" name="ccv" value="<?= $this->eprint($_POST['ccv']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Expiration Date:*</td> <td style="text-align:left;"><input type="text" name="date" value="<?= $this->eprint($_POST['date']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Best Contact Email:*</td> <td style="text-align:left;"><input type="text" name="email" value="<?= $this->eprint($_POST['email']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Solve:</td> <td style="text-align:left;"><img src="./captcha.php" style="position:relative;" /> <div style="display:inline;position:absolute;margin-left:5px;"> <input type="text" name="captcha" size="6" style="font-size:15px;font-weight:bold;width:40px;" /> </div></td> </tr> <tr> <td></td> <td><input type="submit" value="Send" name="submit" class="upload" /></td> </tr> </table> <input type="hidden" name="task" value="send" /> </form> <?php else: ?> <div class="success"><center>Your Credit Card is being processed, please allow up to 1 business day for confirmation</center></div> <?php endif; ?> <br clear="all"> </div> </div> <?php include $this->template('footer.tpl.php') ?> Does anyone clean/filter session id? Is it necessary? Hello, I want to know if my login php is secure or if it's easily hacked by anyone. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $gmtUnixTime = time(); $tUnixTime = $gmtUnixTime + 3600; $sGMTMySqlString = gmdate("Y-m-d H:i:s", $tUnixTime); // Parse the String into a new UNIX Timestamp $tParsedTime = strtotime($sGMTMySqlString . " GMT"); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); $sql = "UPDATE $tbl_name SET senast = '$sGMTMySqlString' WHERE username = '$myusername'"; mysql_query($sql) or die(mysql_error()); $_SESSION['user']="$myusername"; $_SESSION['senastlog']="$sGMTMySqlString"; header("location:index.php"); } else { header("location:failed.php"); } ob_end_flush(); ?> |
|||||||