Re: [PHP] Session variables does not get sent

[Peter Brodersen]

On Mon, 6 Sep 2004 13:33:02 +0800, in php.general
[EMAIL PROTECTED] (Jason Wong) wrote:

   $username = trim(addslashes($_POST['user_name']));
   $pass = trim(addslashes($_POST['password']));

addslashes() is not needed as you're performing SELECT query and not an INSERT 
query.

How did you come up with that? The escape mechanism is the same for
SELECT and INSERT.

addslashes() is not needed if magic_quotes is enabled, though. But if
it isn't, it could be easy to login as another user, e.g. post:

other_user' OR user_name = 'foo

.. as user_name.

In that case the attacker could login as other_user.

-- 
- Peter Brodersen

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[Marek Kilimajer]

Dre wrote:
and by the way ..
I'm using MS Windows XP Pro. which I do believe that it has some hand in the
problem :)
Like you did not change session.save_path setting in php.ini from /tmp 
to whatever it is supposed to be on windows.


Dre [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I do know this
and what happen is that the $_SESSION array become empty once I redirect
from the login page (after login) to another members' area page .. !!
Marek Kilimajer [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Dre wrote:
I don't know why but session variables does not get posted .. is there
any
thing in the php.ini that I should configure as
I can't find any thing wrong in the code I'm using !!
Session variables are not posted, they are kept on the server. Only the
session id is sent as a cookie, get or post variable. Session variables
are available in $_SESSION array

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[Chris Shiflett]

--- Jason Wong [EMAIL PROTECTED] wrote:
  $username = trim(addslashes($_POST['user_name']));
  $pass = trim(addslashes($_POST['password']));
 
 addslashes() is not needed as you're performing SELECT query
 and not an INSERT query.

That's not true, since he's using user data in the SQL statement. The
query method has nothing to do with whether data should be escaped.

Of course, addslashes() is sort of a last result with regard to escaping
data for use in a query. The more preferable options are those native to
the database you're using, if they exist. MySQL users can use
mysql_escape_string(), for example.

Chris

=
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly
 Coming Fall 2004
HTTP Developer's Handbook - Sams
 http://httphandbook.org/
PHP Community Site
 http://phpcommunity.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[Dre]

no I did this a long time ago
(I did have this problem before :o) )

Marek Kilimajer [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 Dre wrote:
  and by the way ..
  I'm using MS Windows XP Pro. which I do believe that it has some hand in
the
  problem :)

 Like you did not change session.save_path setting in php.ini from /tmp
 to whatever it is supposed to be on windows.

 
 
  Dre [EMAIL PROTECTED] wrote in message
  news:[EMAIL PROTECTED]
 
 I do know this
 and what happen is that the $_SESSION array become empty once I redirect
 from the login page (after login) to another members' area page .. !!
 
 
 Marek Kilimajer [EMAIL PROTECTED] wrote in message
 news:[EMAIL PROTECTED]
 
 Dre wrote:
 
 I don't know why but session variables does not get posted .. is there
 
 any
 
 thing in the php.ini that I should configure as
 I can't find any thing wrong in the code I'm using !!
 
 
 Session variables are not posted, they are kept on the server. Only the
 session id is sent as a cookie, get or post variable. Session variables
 are available in $_SESSION array
 
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[Marek Kilimajer]

Dre wrote:
no I did this a long time ago
(I did have this problem before :o) )
Try echo $_REQUEST[session_name()]; in members/main.php. It should print 
the session id. Then there should be a session file sess_[session id].

Marek Kilimajer [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Dre wrote:
and by the way ..
I'm using MS Windows XP Pro. which I do believe that it has some hand in
the
problem :)
Like you did not change session.save_path setting in php.ini from /tmp
to whatever it is supposed to be on windows.

Dre [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]

I do know this
and what happen is that the $_SESSION array become empty once I redirect

from the login page (after login) to another members' area page .. !!

Marek Kilimajer [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]

Dre wrote:

I don't know why but session variables does not get posted .. is there
any

thing in the php.ini that I should configure as
I can't find any thing wrong in the code I'm using !!
Session variables are not posted, they are kept on the server. Only the
session id is sent as a cookie, get or post variable. Session variables
are available in $_SESSION array


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[Jason Wong]

On Monday 06 September 2004 14:08, Peter Brodersen wrote:
 On Mon, 6 Sep 2004 13:33:02 +0800, in php.general

 [EMAIL PROTECTED] (Jason Wong) wrote:
$username = trim(addslashes($_POST['user_name']));
$pass = trim(addslashes($_POST['password']));
 
 addslashes() is not needed as you're performing SELECT query and not an
  INSERT query.

 How did you come up with that? The escape mechanism is the same for
 SELECT and INSERT.

Sorry, you're right. I'll go back to sleep now!

-- 
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design  Hosting * Internet  Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
A beautiful woman is a blessing from Heaven, but a good cigar is a smoke.
-- Kipling
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Session variables does not get sent

[Dre]

I don't know why but session variables does not get posted .. is there any
thing in the php.ini that I should configure as
I can't find any thing wrong in the code I'm using !!

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[Marek Kilimajer]

Dre wrote:
I don't know why but session variables does not get posted .. is there any
thing in the php.ini that I should configure as
I can't find any thing wrong in the code I'm using !!
Session variables are not posted, they are kept on the server. Only the 
session id is sent as a cookie, get or post variable. Session variables 
are available in $_SESSION array

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[Dre]

I do know this
and what happen is that the $_SESSION array become empty once I redirect
from the login page (after login) to another members' area page .. !!


Marek Kilimajer [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 Dre wrote:
  I don't know why but session variables does not get posted .. is there
any
  thing in the php.ini that I should configure as
  I can't find any thing wrong in the code I'm using !!
 

 Session variables are not posted, they are kept on the server. Only the
 session id is sent as a cookie, get or post variable. Session variables
 are available in $_SESSION array

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[Marek Kilimajer]

Dre wrote:
I do know this
and what happen is that the $_SESSION array become empty once I redirect
from the login page (after login) to another members' area page .. !!
That means you are loosing your session. Is the session id sent? Is the 
session file (usualy in /tmp) created?

Marek Kilimajer [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Dre wrote:
I don't know why but session variables does not get posted .. is there
any
thing in the php.ini that I should configure as
I can't find any thing wrong in the code I'm using !!
Session variables are not posted, they are kept on the server. Only the
session id is sent as a cookie, get or post variable. Session variables
are available in $_SESSION array

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[John Nichel]

Dre wrote:
I do know this
and what happen is that the $_SESSION array become empty once I redirect
from the login page (after login) to another members' area page .. !!
Are you starting the session on every page?  How are you sending the 
session id?

--
By-Tor.com
It's all about the Rush
http://www.by-tor.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[Dre]

this is the username/password validation script which receives the user name
and password from a regular form
and they are sent correctly

logme_in.php
//==
==
?php
  session_start();
  $username = trim(addslashes($_POST['user_name']));
  $pass = trim(addslashes($_POST['password']));

  if((empty($_POST['user_name'])) || (empty($_POST['password'])))
  {
  header('Location: index.php');
   include(login_form);
   exit();
  }
  else{
   include(db.php);
   $sql = SELECT * FROM  members_webdata WHERE user_name='.$username.'
AND password='.$pass.';
   $result = mysql_query($sql);
   $num_return = mysql_num_rows($result);

   if($num_return ==1)
   {
$row = mysql_fetch_array($result);
 $_SESSION['uname'] = $row['user_name'];

 echo a href=\members/main.php\.CLICK HERE TO GO TO MEMBERS SECTION;
 echo /a;
 //session_write_close();
// header('Location: members/main.php'.?_SESSION['uname']=.
$row['user_name']);
   }
   else {
   }
  }

?
//
this is the page I try to open after logging in but it behaves like if I'm
not logged at all

members/main.php
//
?php session_start();
 $user_name = $_SESSION['uname'];
 if(empty($user_name))
 {header('Location: ../../login_first.php');
  exit();
 }
 else{// print_r($HTTP_SESSION_VARS['uname']);
 }
?
html
...
/html
//
//

Dre [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 I do know this
 and what happen is that the $_SESSION array become empty once I redirect
 from the login page (after login) to another members' area page .. !!


 Marek Kilimajer [EMAIL PROTECTED] wrote in message
 news:[EMAIL PROTECTED]
  Dre wrote:
   I don't know why but session variables does not get posted .. is there
 any
   thing in the php.ini that I should configure as
   I can't find any thing wrong in the code I'm using !!
  
 
  Session variables are not posted, they are kept on the server. Only the
  session id is sent as a cookie, get or post variable. Session variables
  are available in $_SESSION array

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[Dre]

and by the way ..
I'm using MS Windows XP Pro. which I do believe that it has some hand in the
problem :)


Dre [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 I do know this
 and what happen is that the $_SESSION array become empty once I redirect
 from the login page (after login) to another members' area page .. !!


 Marek Kilimajer [EMAIL PROTECTED] wrote in message
 news:[EMAIL PROTECTED]
  Dre wrote:
   I don't know why but session variables does not get posted .. is there
 any
   thing in the php.ini that I should configure as
   I can't find any thing wrong in the code I'm using !!
  
 
  Session variables are not posted, they are kept on the server. Only the
  session id is sent as a cookie, get or post variable. Session variables
  are available in $_SESSION array

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[John Nichel]

Dre wrote:
snip
  if((empty($_POST['user_name'])) || (empty($_POST['password'])))
  {
  header('Location: index.php');
   include(login_form);
   exit();
  }
That include is useless, as you're forwarding to another document right 
before it.

  else{
   include(db.php);
   $sql = SELECT * FROM  members_webdata WHERE user_name='.$username.'
AND password='.$pass.';
   $result = mysql_query($sql);
   $num_return = mysql_num_rows($result);
   if($num_return ==1)
   {
$row = mysql_fetch_array($result);
 $_SESSION['uname'] = $row['user_name'];
Are you sure $row['user_name'] has value?
--
By-Tor.com
It's all about the Rush
http://www.by-tor.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[Dre]

yes I'm sure

John Nichel [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 Dre wrote:
 snip
if((empty($_POST['user_name'])) || (empty($_POST['password'])))
{
header('Location: index.php');
 include(login_form);
 exit();
}

 That include is useless, as you're forwarding to another document right
 before it.

else{
 include(db.php);
 $sql = SELECT * FROM  members_webdata WHERE
user_name='.$username.'
  AND password='.$pass.';
 $result = mysql_query($sql);
 $num_return = mysql_num_rows($result);
 
 if($num_return ==1)
 {
  $row = mysql_fetch_array($result);
   $_SESSION['uname'] = $row['user_name'];

 Are you sure $row['user_name'] has value?

 -- 
 By-Tor.com
 It's all about the Rush
 http://www.by-tor.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[John Nichel]

Dre wrote:
yes I'm sure
Won't hurt to echo it out.
--
By-Tor.com
It's all about the Rush
http://www.by-tor.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session variables does not get sent

[Jason Wong]

Please do not top post.

On Monday 06 September 2004 06:53, Dre wrote:

As well as what everybody else has said ...

   $username = trim(addslashes($_POST['user_name']));
   $pass = trim(addslashes($_POST['password']));

addslashes() is not needed as you're performing SELECT query and not an INSERT 
query.

$sql = SELECT * FROM  members_webdata WHERE user_name='.$username.'
 AND password='.$pass.';

$sql = SELECT * FROM  members_webdata WHERE user_name='$username' AND 
password='$pass';

Much easier on the eyes.

-- 
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design  Hosting * Internet  Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
Of course you have a purpose -- to find a purpose.
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php