Re: [PHP] Session variables does not get sent
On Mon, 6 Sep 2004 13:33:02 +0800, in php.general [EMAIL PROTECTED] (Jason Wong) wrote: $username = trim(addslashes($_POST['user_name'])); $pass = trim(addslashes($_POST['password'])); addslashes() is not needed as you're performing SELECT query and not an INSERT query. How did you come up with that? The escape mechanism is the same for SELECT and INSERT. addslashes() is not needed if magic_quotes is enabled, though. But if it isn't, it could be easy to login as another user, e.g. post: other_user' OR user_name = 'foo .. as user_name. In that case the attacker could login as other_user. -- - Peter Brodersen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
Dre wrote: and by the way .. I'm using MS Windows XP Pro. which I do believe that it has some hand in the problem :) Like you did not change session.save_path setting in php.ini from /tmp to whatever it is supposed to be on windows. Dre [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I do know this and what happen is that the $_SESSION array become empty once I redirect from the login page (after login) to another members' area page .. !! Marek Kilimajer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dre wrote: I don't know why but session variables does not get posted .. is there any thing in the php.ini that I should configure as I can't find any thing wrong in the code I'm using !! Session variables are not posted, they are kept on the server. Only the session id is sent as a cookie, get or post variable. Session variables are available in $_SESSION array -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
--- Jason Wong [EMAIL PROTECTED] wrote: $username = trim(addslashes($_POST['user_name'])); $pass = trim(addslashes($_POST['password'])); addslashes() is not needed as you're performing SELECT query and not an INSERT query. That's not true, since he's using user data in the SQL statement. The query method has nothing to do with whether data should be escaped. Of course, addslashes() is sort of a last result with regard to escaping data for use in a query. The more preferable options are those native to the database you're using, if they exist. MySQL users can use mysql_escape_string(), for example. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
no I did this a long time ago (I did have this problem before :o) ) Marek Kilimajer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dre wrote: and by the way .. I'm using MS Windows XP Pro. which I do believe that it has some hand in the problem :) Like you did not change session.save_path setting in php.ini from /tmp to whatever it is supposed to be on windows. Dre [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I do know this and what happen is that the $_SESSION array become empty once I redirect from the login page (after login) to another members' area page .. !! Marek Kilimajer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dre wrote: I don't know why but session variables does not get posted .. is there any thing in the php.ini that I should configure as I can't find any thing wrong in the code I'm using !! Session variables are not posted, they are kept on the server. Only the session id is sent as a cookie, get or post variable. Session variables are available in $_SESSION array -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
Dre wrote: no I did this a long time ago (I did have this problem before :o) ) Try echo $_REQUEST[session_name()]; in members/main.php. It should print the session id. Then there should be a session file sess_[session id]. Marek Kilimajer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dre wrote: and by the way .. I'm using MS Windows XP Pro. which I do believe that it has some hand in the problem :) Like you did not change session.save_path setting in php.ini from /tmp to whatever it is supposed to be on windows. Dre [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I do know this and what happen is that the $_SESSION array become empty once I redirect from the login page (after login) to another members' area page .. !! Marek Kilimajer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dre wrote: I don't know why but session variables does not get posted .. is there any thing in the php.ini that I should configure as I can't find any thing wrong in the code I'm using !! Session variables are not posted, they are kept on the server. Only the session id is sent as a cookie, get or post variable. Session variables are available in $_SESSION array -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
On Monday 06 September 2004 14:08, Peter Brodersen wrote: On Mon, 6 Sep 2004 13:33:02 +0800, in php.general [EMAIL PROTECTED] (Jason Wong) wrote: $username = trim(addslashes($_POST['user_name'])); $pass = trim(addslashes($_POST['password'])); addslashes() is not needed as you're performing SELECT query and not an INSERT query. How did you come up with that? The escape mechanism is the same for SELECT and INSERT. Sorry, you're right. I'll go back to sleep now! -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* A beautiful woman is a blessing from Heaven, but a good cigar is a smoke. -- Kipling */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Session variables does not get sent
I don't know why but session variables does not get posted .. is there any thing in the php.ini that I should configure as I can't find any thing wrong in the code I'm using !! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
Dre wrote: I don't know why but session variables does not get posted .. is there any thing in the php.ini that I should configure as I can't find any thing wrong in the code I'm using !! Session variables are not posted, they are kept on the server. Only the session id is sent as a cookie, get or post variable. Session variables are available in $_SESSION array -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
I do know this and what happen is that the $_SESSION array become empty once I redirect from the login page (after login) to another members' area page .. !! Marek Kilimajer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dre wrote: I don't know why but session variables does not get posted .. is there any thing in the php.ini that I should configure as I can't find any thing wrong in the code I'm using !! Session variables are not posted, they are kept on the server. Only the session id is sent as a cookie, get or post variable. Session variables are available in $_SESSION array -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
Dre wrote: I do know this and what happen is that the $_SESSION array become empty once I redirect from the login page (after login) to another members' area page .. !! That means you are loosing your session. Is the session id sent? Is the session file (usualy in /tmp) created? Marek Kilimajer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dre wrote: I don't know why but session variables does not get posted .. is there any thing in the php.ini that I should configure as I can't find any thing wrong in the code I'm using !! Session variables are not posted, they are kept on the server. Only the session id is sent as a cookie, get or post variable. Session variables are available in $_SESSION array -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
Dre wrote: I do know this and what happen is that the $_SESSION array become empty once I redirect from the login page (after login) to another members' area page .. !! Are you starting the session on every page? How are you sending the session id? -- By-Tor.com It's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
this is the username/password validation script which receives the user name and password from a regular form and they are sent correctly logme_in.php //== == ?php session_start(); $username = trim(addslashes($_POST['user_name'])); $pass = trim(addslashes($_POST['password'])); if((empty($_POST['user_name'])) || (empty($_POST['password']))) { header('Location: index.php'); include(login_form); exit(); } else{ include(db.php); $sql = SELECT * FROM members_webdata WHERE user_name='.$username.' AND password='.$pass.'; $result = mysql_query($sql); $num_return = mysql_num_rows($result); if($num_return ==1) { $row = mysql_fetch_array($result); $_SESSION['uname'] = $row['user_name']; echo a href=\members/main.php\.CLICK HERE TO GO TO MEMBERS SECTION; echo /a; //session_write_close(); // header('Location: members/main.php'.?_SESSION['uname']=. $row['user_name']); } else { } } ? // this is the page I try to open after logging in but it behaves like if I'm not logged at all members/main.php // ?php session_start(); $user_name = $_SESSION['uname']; if(empty($user_name)) {header('Location: ../../login_first.php'); exit(); } else{// print_r($HTTP_SESSION_VARS['uname']); } ? html ... /html // // Dre [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I do know this and what happen is that the $_SESSION array become empty once I redirect from the login page (after login) to another members' area page .. !! Marek Kilimajer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dre wrote: I don't know why but session variables does not get posted .. is there any thing in the php.ini that I should configure as I can't find any thing wrong in the code I'm using !! Session variables are not posted, they are kept on the server. Only the session id is sent as a cookie, get or post variable. Session variables are available in $_SESSION array -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
and by the way .. I'm using MS Windows XP Pro. which I do believe that it has some hand in the problem :) Dre [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I do know this and what happen is that the $_SESSION array become empty once I redirect from the login page (after login) to another members' area page .. !! Marek Kilimajer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dre wrote: I don't know why but session variables does not get posted .. is there any thing in the php.ini that I should configure as I can't find any thing wrong in the code I'm using !! Session variables are not posted, they are kept on the server. Only the session id is sent as a cookie, get or post variable. Session variables are available in $_SESSION array -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
Dre wrote: snip if((empty($_POST['user_name'])) || (empty($_POST['password']))) { header('Location: index.php'); include(login_form); exit(); } That include is useless, as you're forwarding to another document right before it. else{ include(db.php); $sql = SELECT * FROM members_webdata WHERE user_name='.$username.' AND password='.$pass.'; $result = mysql_query($sql); $num_return = mysql_num_rows($result); if($num_return ==1) { $row = mysql_fetch_array($result); $_SESSION['uname'] = $row['user_name']; Are you sure $row['user_name'] has value? -- By-Tor.com It's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
yes I'm sure John Nichel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dre wrote: snip if((empty($_POST['user_name'])) || (empty($_POST['password']))) { header('Location: index.php'); include(login_form); exit(); } That include is useless, as you're forwarding to another document right before it. else{ include(db.php); $sql = SELECT * FROM members_webdata WHERE user_name='.$username.' AND password='.$pass.'; $result = mysql_query($sql); $num_return = mysql_num_rows($result); if($num_return ==1) { $row = mysql_fetch_array($result); $_SESSION['uname'] = $row['user_name']; Are you sure $row['user_name'] has value? -- By-Tor.com It's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
Dre wrote: yes I'm sure Won't hurt to echo it out. -- By-Tor.com It's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables does not get sent
Please do not top post. On Monday 06 September 2004 06:53, Dre wrote: As well as what everybody else has said ... $username = trim(addslashes($_POST['user_name'])); $pass = trim(addslashes($_POST['password'])); addslashes() is not needed as you're performing SELECT query and not an INSERT query. $sql = SELECT * FROM members_webdata WHERE user_name='.$username.' AND password='.$pass.'; $sql = SELECT * FROM members_webdata WHERE user_name='$username' AND password='$pass'; Much easier on the eyes. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Of course you have a purpose -- to find a purpose. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php