PHP - Weird Session Anomaly

I'm making a simple login system with MySQL and PHP (very simple, I'm just starting with PHP). The MySQL portion is done, but I need to ensure only people who are logged in can see certain content.

To check if people are logged in, my website checks that they have the $_SESSION['user'] variable set. If it is set, then it lets them continue through the website, if not, it tells them to login. Is that enough security, or can people simply inject a session cookie into their browser to spoof that they are logged in?

My idea was to generate a session key cookie when they login (just a random string of letters and numbers) and store that in the database, then on every page, check to make sure their session key is the same thing that's in the database. Is this necessary? It seems expensive.

Evening!

I've been iffing and ahhing over this and well im not too sure, hence the post.

Code: [Select]
// Redirects if there is no session id selected and echos the error on the previous page
if(!isset($_GET['get']) || ($_GET['getget'])){
header("Location: #.php?error");
}
So it should simply check if get is set if it isnt then see if getget is set?

If not redirect and show the error.

Now ive tried it and even when get/getget is set it still redirects, probably something silly. Care to share anyone?

Harry.

Just curious how other people feel about this.  I am working on an application where a lot of info is pulled from MySQL and needed on multiple pages.     Would it make more sense to...   1.  Pull all data ONCE and store it in SESSION variables to use on other pages    2.  Pull the data from the database on each new page that needs it   I assume the preferred method is #1, but maybe there is some downside to using SESSION variables "too much"?   Side question that's kind of related:  As far as URLs, is it preferable to have data stored in them (i.e. domain.com/somepage.php?somedata=something&otherdata=thisdata) or use SESSION variables to store that data so the URLs can stay general/clean (i.e. domain.com/somepage.php)?   Both are probably loaded questions but any possible insight would be appreciated.   Thanks! Greg
Edited by galvin, 04 November 2014 - 10:30 AM.

Dear all,

I updated my versions of php/MySQL and OS to Windows 7 Professional and weird "Warnings and Notices:" started popping up. E.g.

Code: [Select]
"Notice: Undefined index: page in C:\Server\htdocs\domain\index.php on line 25 "
Code: [Select]
Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for '-4.0/DST' instead in C:\Server\htdocs\domain\index.php on line 12 "
I don't know what is going on. Unless I enter these following functions (error_reporting(0);, session_start() with their parameters these warnings display. Can anyone offer any advice?

Any assistance is appreciated.

 

this works
Code: [Select]
<form action="" method="post">
<input name="DepartureDate" type="text">
<input name="" type="submit"></form>
<?php
$DepartureDate=$_POST['DepartureDate'];

 echo  $DepartureDate = stripslashes($DepartureDate); // sql inject clean
$regex = "/^[a-z]+$/";
if (!preg_match($regex, $DepartureDate)){
echo 'CAPS BABY!';}
else
{echo 'OK!';}
?>

this doesnt
Code: [Select]
if (!preg_match($regex, $DepartureDate)) {
    mail($to, $subject, $message, $headers);

echo $url_success = "confirmation.php";
//echo("<meta http-equiv = refresh content=0;url=".$url_success.">");
   }
 
  else {
 

exit();



  }

Okay, so basically my news-like site is supposed to print out article data saved in the database.  It does that quite alright, except on the 3rd article (number 2 in SQL rows or columns.  whichever it is.   I have my counter subtract 1 from the start article to compensate for MySQL)

My code:
Code: [Select]
<?php
print "<div class = 'menu' align='center'>Newest Stories</div>";

if (isset($_REQUEST['mstart']))
{
$start=$_REQUEST['mstart'];
}
else
{
$start=1;
}
if ($start)
{
$start=1;
}

$start--;
$end=$start+5;
$stories = mysql_query("SELECT * FROM stories ORDER BY id DESC LIMIT $start, $end") or die(mysql_error());
$num = mysql_num_rows($stories);
$start++;

if ($num > 0)
{
if ($num<$end)
{
  $end = $end-(5-$num);
}
print "<b><i>Showing stories $start to $end</i></b>";



for ($count=0; $count<$num; $count++)
{
print "<hr>";
$story = mysql_fetch_array($stories,$count);
$id = $story['id'];
$headline = $story['headline'];
$author = $story['author'];
$desc = $story['description'];
$content = $story['content'];

print "COUNT: $count OF $num ($id)<br>";
print "<a href='index.php?request=story&mstart=$start&story=$id' class='headlinelink'>$headline</a><br>";
print "<div class='author'>Posted by: <a href='index.php?request=author&mstart=$start&author=$author' class='author'>$author</a>.</div>";
print "<div class='desc'>$desc</div><br>";
}

}
else
{
print "Error.  No stories found. :(";
}

?>

Output: (The COUNT x OF y was to help me figure out what is wrong.  In the () by it is the id number of the corresponding MySQL row/column.  I even deleted one of the articles to see if it was a specific article error.  No luck.)

Quote

Newest Stories
Showing stories 1 to 5
----------------
COUNT: 0 OF 5 (6)
Y U NO STAY
Posted by: craigory83.
GRRR

----------------
COUNT: 1 OF 5 (5)
h-l!
Posted by: craigory83.
desc

----------------
Notice: Undefined index: id in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\dba\menu.php on line 37

Notice: Undefined index: headline in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\dba\menu.php on line 38

Notice: Undefined index: author in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\dba\menu.php on line 39

Notice: Undefined index: description in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\dba\menu.php on line 40

Notice: Undefined index: content in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\dba\menu.php on line 41
COUNT: 2 OF 5 ()

Posted by: .

----------------
COUNT: 3 OF 5 (2)
This is the second story!
Posted by: TDWP83.
See, I fuckin told you so!


Warning: mysql_fetch_array() [function.mysql-fetch-array]: The result type should be either MYSQL_NUM, MYSQL_ASSOC or MYSQL_BOTH in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\dba\menu.php on line 36

----------------
COUNT: 4 OF 5 (1)
This is the mother fucking headline!
Posted by: craigory83.
stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff stuff

How can you prevent your browser from caching a page? I think that my news feed is being cached and is causing new posts to not be displayed even after a refresh. Eventually, the posts will show up after about 20 refreshes. I know my query is right so I didn't know if there was a way to stop page caching.

I don't really know if it is a caching issue though. I'm starting to think I just have some weird bug in my code because sometimes on refresh news feed items get removed then i'll refresh again and some will get added back in then i'll refresh again and they'll all be there. Ever heard of this happening?

I have a development machine running WAMP on a win7 64 bit box. php 5.3.13 I have a server that runs Apache 2.2, php 5.3.12 MySql, etc.   I am running joomla 2.5.27 on both machines. I require a number of php includes to many of the joomla articles (this works great via a plugin called Directphp)   After considerable time getting the site fully working on the dev machine, I ran into an unforseen problem when I uploaded to the production box. For some unknown reason, the includes work fine on the dev machine using $DOCUMENT_ROOT to define the root (then tag the correct path and file to this) However, on the production box, this doesn't work - but...  $_SERVER['DOCUMENT_ROOT'] does.   Annoyingly, $_SERVER['DOCUMENT_ROOT'] won't work on the dev machine - and $DOCUMENT_ROOT doesn't work on the production box.   So, I can't come up with a generic method to keep both machines happy. I've checked the php.ini files on both boxes and the register global is OFF on both.   They also seem to interperate the syntax differently in the actual include files - one box hates double quotes - the other has issues with single quotes. This is really annoying as most of the includes are HTML snippets, coded into php. The double/single quote problem means I would need to have two versions of the include files.   Can anyone help me with this? - serious hair pulling has started!        

tore the forum apart looking for a solution to this one.  for some reason, this is generating an 'unexpected $end' error.  this is ALL the code.  in entirety. i was just messing around getting familiar with filesystem stuff.  no short tags.  no curly brackets.  so...

Code: [Select]
<?php
$fileHandler = fopen("someFile.txt", 'w') or die ("could not create file");
$text = <<<_END
drop some text
and some stuff
plus this stuff
some other stuff

_END;
fwrite($fileHandler, $text) or die ("could not write to file");
fclose($fileHandler);
echo "File 'someFile.txt' written successfully";
?>

thanks people.  this has be stumped.  not like its complicated, eh?  and as you can see, screws up the colour coding as well... but WHY!?!?

WR!

Hey guys, how are you. I have an odd problem and I am not sure what is causing it. I recently finished my form system, with PHP validation that sends the  inputted information via email. Now, everything is working fine on my end with absolutely no issues, but it is not working on any other computers, even though my computer is in no way hosting the files.

Now, the issue other computers are getting is when the form is filled out it doesn't redirect to the success page, it redirects back to the form page with nothing filled out and it doesn't display the errors on the page. Any idea on what might be causing this?

Again, EVERYTHING works flawlessly on my end, that being, the display of any errors, the proper redirect, everything.

Thanks!!!

I'm inserting some data from a CSV file into a database. I'm using mysql_real_escape_string to escape a string and getting some really weird output.

ex.

input string = Adobe CS5
output = \0\0A\0d\0o\0b\0e\0 \0C\0S\05

I plugged the string into mb_detect_encoding and it told me it was in ASCII and I did a bunch of searching to find out that \0 is a null byte. The only thing I can't figure out is how to convert it to something that won't give me that garbage when I run it through mysql_real_escape_string.

I tried mb_convert_encoding($str,"ISO-8859-1","ASCII") and it didn't do anything.

Anyone know something I can try??

I've got some PHP code that accesses SQL on an Amazon cloud server. Other machines running Unix and Windows can perform accesses fine using the server name (IP for Windows, label for Unix), database name (string) and a password (string).  However, the same code FAILS on OSX (my Macbook Pro).

SQL managers on my MBP have no problem accessing it, since I've made the proper exceptions on the AWS firewall.  But PHP can't do any MS SQL reads of this database.

Is there something else I don't know?  Is there some other key information being exchanged that my MBP needs to send that I can't see?

TIA!!

I have a function that contains 2 UPDATE commands. One updates a table whenever the function is ran. The second updates only if a condition is met.

When the page loads the function is ran. For some reason the table is updated twice. So my table looks like this:

Initially
Viewed: 0 Replies: 0

Navigate to page:
Viewed:2 Replies:0

Enter a reply and submit:
Veiwed:4 Replies:1

No matter where I move the "viewed +1" code, it fires twice per page impression. Is this a glitch? Do functions run twice for some reason? If so why doesn't "reply +1" fire twice?



//page loads as forum.php?goto=innertopic
function connectForum(){
     //connects DB
     if($_GET['goto'] == "innertopic"){
          detailTopic();
     }
}
function detailTopic(){
     if(isset($_POST['content']{ //if there is a reply to a post
          mysql_query("UPDATE topics SET Replies=Replies+1") //works fine
     }
     else{ //no reply, just show all posts
          mysql_query("UPDATE topics SET Views=Views+1") //fires 2 times per page load .. ?!?!?
          //show posts
          //show reply window, posts to forum.php?goto=innertopic&&content=whateverTheUserTyped
     }
}

//html of page

if($_GET['goto'] == "innertopic"){
     connectForum();
}

Hi,

I was looking around the web for a image resizer script and I came across this one.
http://www.scriptol.com/scripts/thumbnail-maker.php

The weird thing is, it says to use this syntax to get it to work
php resizer.php -j myimage.png 

Well.. I don't seem to understand how that makes it work, Normally I would run a php script by looking for it's main function and running it like:

mainfunction();

Maybe I'm interpreting it wrong,  but how is this script suppose to run?