[PHP] Transfer to another server - my sessions don't work!
Hi, I transferred a small php site from my localhost to a new server (commercial server). However, after I transferred it over, my sessions would no longer work. Just as a test - here is some code I tried. Please tell me I'm doing it the wrong way. Also, at the bottom of this email this info from phpinfo(); if that helps. If I echo $GLOBALS['PHPSESSID'] it looks like a regular session id. I can get the info on the first page after I have chucked it into the session, but it doesn't seem to get it when I go to the next page. Thanks. Adam --- page1.php --- ?php session_start(); $_SESSION['adam'] = something secret here; ? a href=page2.phpPage 2/a --- page2.php --- ?php echo $_SESSION['adam']; // this don't do anything echo Thats all.; // this prints fine echo $PHPSESSID; // this prints fine ? Configure Command './configure' '--with-mysql' '--with-apache=../apache_1.3.26' '--enable-track-vars' '--with-xml' '--enable-memory-limit=yes' '--enable-bcmath' '--with-gd=../gd-2.0.1' '--enable-gd-native-tt' '--enable-gd-imgstrttf' '--with-gdbm=/usr/include' '--enable-calendar' '--with-png-dir=/usr/lib' '--with-zlib-dir=/usr/include' '--with-freetype-dir=/usr/local/include/freetype2' '--with-jpeg-dir=/usr/local/lib' '--with-mcrypt' '--enable-trans-sid' '--with-sablot=/usr/local/lib' '--with-imap' '--enable-xslt' '--with-xslt-sablot' '--with-gettext' '--enable-sockets' '--enable-ftp' '--enable-sablot-errors-descriptive' session Session Support enabled Directive Local Value Master Value session.auto_start Off Off session.cache_expire180 180 session.cache_limiter nocache nocache session.cookie_domain no valueno value session.cookie_lifetime 0 0 session.cookie_path / / session.cookie_secure Off Off session.entropy_fileno valueno value session.entropy_length 0 0 session.gc_maxlifetime 14401440 session.gc_probability 1 1 session.namePHPSESSID PHPSESSID session.referer_check no valueno value session.save_handlerfiles files session.save_path /tmp/tmp session.serialize_handler php php session.use_cookies On On session.use_trans_sid 1 1
[PHP] More On: Good Practice: Variables, Error Reporting and Security
I very much appreciate the suggestions made by the people on this list,
although for me, when developing, the less typing I have to do, the
less errors I am bound to come across, and therefore the less debugging
I must do. (Now, doesn't this seem sensible?)
Anyway, I have developed a function and incorporated Maxim's code
(thankyou) to make importing variables (into global scope) easier (with
register_globals turned off).
I have it sitting in my lib.php which contains all common functions
(database functions, etc) that I use with my scripts and is included on
every page I write.
To use my function, simply write:
importVars($_GET, 'var1,var2,var3'); // this will get var1, var2 and
var3 from the querystring
importVars($_SESSION); // this will import all session information
This was tested with error_reporting set to E_ALL. Often in my code I
will do something like this.
if ($flag){
// do certain code relating to $flag
}
If $flag has not been initialized, this check will produce a NOTICE
error, which appears if you are using E_ALL. So, my function will take
all the variables you pass to it (through the comma-delimited string)
and either import the variables (if it exists) or create an empty
variable (zero-length string). This way you can do the check. I know
some people will say, you could just use if (isset($flag)), but I like
take advantage of PHP's automatic type conversion.
Another feature of my function is if you don't supply a string to vars
to import, it will bring in everything from that array. This lets
people import all the variables they want, and they don't care about
security, or are protecting it through other means (extensive var
checks) etc.
ie.importVars($_GET);
So I hope this stuff helps some people out there.
Also, can anyone see any problems with my function? (Performance-wise
or security-wise).
Adam
/*
Credit given to: Maxim Maletsky [EMAIL PROTECTED]
Alter variables for the versions prior to 4.1.0
NOTE: $_REQUEST global variable is NOT supported.
*/
if (strnatcasecmp('4.1.0', PHP_VERSION) = 0) {
foreach(Array(
'_GET' = 'HTTP_GET_VARS',
'_POST' = 'HTTP_POST_VARS',
'_COOKIE' = 'HTTP_COOKIE_VARS',
'_SESSION' = 'HTTP_SESSION_VARS',
'_SERVER' = 'HTTP_SERVER_VARS',
'_ENV' = 'HTTP_ENV_VARS',
'_FILES'= 'HTTP_POST_FILES'
) as $transvar['new'] = $transvar['old']) {
if (isset($$transvar['old']) and is_array($$transvar['old'])) {
$GLOBALS[$transvar['new']] = $$transvar['old'];
}
}
// Unset transvar, we do not need it anymore.
unset($transvar);
}
/*
function importVars()
Written by: Adam Royle [EMAIL PROTECTED]
Imports vars from $arrVarType into the global scope.
Example: importVars($_GET, 'page,ID,num');
Will create the three variables $page, $ID and $num, and will fill them
with data from the querystring. If there is no data in the querystring,
it will create a zero-length string.
*/
function importVars($arrVarType, $strVarList='')
{
if (!trim($strVarList)){
// import all variables from $arrVarType
foreach($arrVarType as $var = $value){
$GLOBALS[$var] = $value;
}
} else {
// only import variables in $strVarList
$arrVarList = explode(',',$strVarList);
foreach($arrVarList as $var){
$var = trim($var);
if (isset($arrVarType[$var])){
$GLOBALS[$var] = $arrVarType[$var];
} else {
$GLOBALS[$var] = '';
}
}
}
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] More On: Good Practice: Variables, Error Reporting and Security
What I mean is, by using functions to do the hard work for you, it is less common to make an obvious mistake. I have a couple of functions that I use in most of my scripts. eg. securityCheck(); // authenticates the user dbConnect(); // connects to database with default parameters (in config file) $sql = SELECT * FROM tblName; $data = GetData($sql, VARIABLES); // grabs data from db and puts in global scope Now if you compare the above code to something which does all that manually, then you'll be typing a heck of an amount. If you have to search through a hundred lines of code, it would be more difficult than searching through 4 lines of code, don't you think? A lot of errors people make are spelling errors. Like so: $ymVar = $_GET['myVar']; or $myVar = $HTTP_POST_VAR[myVar]; Now if you did this: importVars($_POST, 'myVar,foo,bar'); It would be much easier to debug because you only have to look at one line, cause you know the function is working. If you don't see it in that one line, print_r($GLOBALS); might show you if the var is getting transferred, etc. I know what you're saying about confusing code, where you are putting more than one statement in one line is difficult to debug, but thats different from targeting spelling errors. Adam On Sunday, October 6, 2002, at 07:57 AM, Sascha Cunz wrote: Am Samstag, 5. Oktober 2002 20:44 schrieb Adam Royle: I very much appreciate the suggestions made by the people on this list, although for me, when developing, the less typing I have to do, the less errors I am bound to come across, and therefore the less debugging I must do. (Now, doesn't this seem sensible?) Well, have you ever read a perl script? :-) The shortest source is not the best in all cases. Consider, that there will be times, you must read the source again - well, the easier it is written (and structured), the easier you will see again how it works... --Sascha -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Good Practice: Variables, Error Reporting and Security
Hi All,
I have been a subscriber of php-db for quite some time, and I have seen
MANY ppl ask why their variables aren't being passed though, etc, due
to register_globals, etc, blah blah blah
I have kept my eyes open reading all the material I can, and I
understand the security implications of certain programming actions.
Like most programmers, I am lazy. I prefer to construct functions to do
the hard work for me. Before the register_globals issue was widespread,
I loved programming in PHP (compared to ASP), because of the automatic
passing of variables from page to page (also, referencing undefined
variables without a hitch).I had some techniques to deal with security,
and other things, so register_globals = on wasn't such big deal for me.
But I acknowledge that if I do contract work for a business, and their
server is set to
I have set my php.ini to E_ALL and register_globals = off, etc,
although I don't want to have to do $var = $_GET['var'] for each
variable i want imported. I have also noted people are using
$HTTP_GET_VARS['var'] to allow for older php compatibility. But doing
it this way reminds me too much of ASP.
Now, my question is, has anyone created functions or developed
techniques to prevent obvious security breaches and also not collapse
when using E_ALL? I have read somewhere that some people wrote a
function which would accept an array of variable names (and
get,post,session flag etc), and globalize all of those variables listed.
Such an example (i imagine) would be something like this:
import_vars( GET, array('id','var2','name') );
Now I don't think that I would have any troubles writing this sort of a
function, although I was wondering if anyone had already considered
this approach, or decided on a better solution. Really, I don't want to
have to do isset(), etc on all my vars when using them. What I could
deal with is having one line, where I list all the variables i use on
the page, and it either imports it or creates an empty string if not
found (therefore initializing it).
What do you all think of this approach?
PS. Sorry if this is talked about WAY too much on these lists, but I
think this is a more informative thread for people who know about
register_globals etc, but want scripting to be easier (and faster) with
PHP, but still maintaining a good code structure (and sensible
programming logic).
Adam
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
