I am working on a system where I retrieve user preferences and insert them into cookies with JSON because I have a Javascript file that needs to use the value in the cookie too.
Now, when i use JSON.Stringify() with javascript i get the data just as i expect it.
However, when i go to check the cookie after it has run the PHP script i get this:
Here is my code from the php file:
public function onSecurityInteractiveLogin(InteractiveLoginEvent $event){
if($this->securityContext->isGranted('IS_AUTHENTICATED_FULLY')){
$selectedCategories = $event->getAuthenticationToken()->getUser()->getProfile()->getCategories();
setcookie("userInterests",json_encode(get_object_vars($selectedCategories)),(time()+3*60*60*24*30));
}
}
any help would be greatly appreciated!
In my case I had multiple problems: firstly I tried to enter an object(that I thought was an array) into the cookie. This had the weird cookie as a result, because the PHP cookie only held the start string for the urlencode.
Secondly, I didn't know that cookies automatically get urlencoded in PHP so that threw me of.
If I just use urldecode now, at the point where I am returning the data from the cookie. It should just pass the javascript cookie without editing it and my php cookie will be useable.
Related
I'm writing a php code processing a lot of data, sometimes interactively. In my starting php page i call the function session_start() before sending any other data to the browser. Then, i put some data into the $_SESSION[] array, like this:
$_SESSION['something'] = $variable;
After, there is a form, what is sent via GET and XMLHttpRequest.
getrequest.open("GET", "data_processing.php?var="+onevalue+"&another_var="+twovalue, true)
getrequest.send(null)
Another php script recieves the user data from this GET, and there i'd like to use the data stored in $_SESSION as well. But $_SESSION seems to be empty. I've never used sessions, what is the correct way to make available variables to consequent php scripts?
Are you sure you called session_start first?
See: http://php.net/manual/en/function.session-start.php
I finally found the solution: another script still used the session, so i had to insert session_write_close(); then it works fine. Thank you for all the answers!
I'm trying to use the header() function to create a redirect. I would like to display an error message. Currently I'm sending the message as a parameter through the URL, however this makes it look quite ugly.
Is there a way to pass this value as a post variable instead?
Any advice appreciated.
Thanks.
Dan, You could start and store a session in PHP then save the message as a session variable. This saves you from having to transfer the message in an HTTP request.
Manipulating Sessions
//Start the session
session_start();
//Dump your POST variables
$_SESSION['POST'] = $_POST;
//Redirect the user to the next page
header("Location: bar.php");
Now, within bar.php you can access those POST variables by re-initiating the session.
//Start the session
session_start();
//Access your POST variables
$temp = $_SESSION['POST'];
//Unset the useless session variable
unset($_SESSION['POST']);
To read more about sessions, check out: http://php.net/manual/en/function.session-start.php
The header function is used to send HTTP response headers back to the user so actually you cannot use it to create request headers :(
One possibility is to use the CURL but I don't think it is worth of what you are doing.
Provided that you have local access to the page displaying the error, instead of redirecting you could include it in the page which caused the error and then programmatically display the error message.
if(something_went_wrong()) {
require_once('errors.php');
display_error('something really went wrong.');
}
The errors.php file would then contain a definition for display_error($message), which displays the formatted message.
When passing variables between modules I have found it easier to construct an array from the variables, convert the array to json and store it in a db table with two columns, a varchar key and a text data. The json would go in data and the key could be anything you want. Then in the target module you just read that back, convert the json back to an array and voila, you have your variables. No $_POST, no $_SESSION, no fuss, no muss, quick and easy. Of course that assumes you have access to a database, although you could use a file on the server. $_POST is useless since it needs a and $_SESSION can be cranky and can lead to unexpected results. Otherwise you'd almost have to use ajax.
I'm trying to make a bookmarklet that will take the URL of the current page you are on, and send it to an application written using CodeIgniter.
The problem I keep running into is that I can't do a standard AJAX call, because it's cross-domain. It is disallowed, and I can't figure out a way to use the JSONP via $_GET method since CodeIgniter blows away the $_GET parameter.
At this point I'll take any suggestions on how to do this. Please note that I need to send a URL, and if it's to be passed via a URL itself it obviously needs to be encoded or something. This I also haven't figured out how to do, so any pointers on that end would be appreciated as well.
Codeigniter unsets $_GET but you can get the data from the query string. It is a little inefficient because PHP will probably end parsing the query string twice, but it should work:
parse_str($_SERVER['QUERY_STRING'], $get);
print_r($get);
All the GET variables should be accesible in the variable $get. See parse_str() documentation for some more information.
As an alternative you could url-encode the current URL and append it to what you are requesting e.g.
var url = 'http://example.com/bookmarklet/'
+ encodeURIComponent(window.location);
Then in Codeigniter do something like:
//you might have to call urldecode() on this value
$url = $this->uri->segment(0);
but you may find you then have this problem
It is possible to enable query strings in Codeigniter, but watch out for the caveats - you can't use the URL helper, for example.
Is there a way in PHP to get a list of all sessions (and the variables within each) on the server?
Basically, we have a maintenance function which needs to know which users are currently logged into the site. We already store data for each user in a session variable, but I am hoping that I can loop through each of these sessions and pluck out the data I need.
MY PHP is very limited (I am a .Net developer ussually) but if anyone knows if this is even possible (and how to do it) I'd be very grateful. I googled this, and the results I found tended to inidcate that it WASN'T possible, but I find this very hard to accept.
Still, If you can't you can't but I thought my buddies on StackOverflow could give me a definitive answer!
PHP stores session data for each user in a temporary folder on the server. This folder is defined in the php.ini configuration file under the variable session.save_path. Locate this value from within your php.ini file, or alternatively, create a php file with:
<?php echo "Session Save Path: " . ini_get( 'session.save_path');?>
as it's contents, and open the file in your browser.
Once you find the save path for the session data, open up that folder and you'll notice a fairly simple structure. All sessions are stored in the format: sess_$SESSIONID .
Session data is serialized before being stored on disk. As such, objects stored in the session file would have to be deserialized before being usable. However, if you're using plain text, which is stored as-is, to store your session data (ex. $_SESSION['userid'] = 1234) to store information about your users, it should be easy enough to parse out the data you're looking for from within the files.
One more thing ... I haven't looked into it, but it appears as though the session ID that appears in the filename corresponds directly to, for instance, the name of the PHPSESSID cookie stored on the user's computer. So, with this in mind, it may be possible to loop through the files within the temporary session directory, acquire all the $SESSIONID values, set the current session ID using session_id($SESSIONID), start a session with session_start() and access the data you need through PHP without having to parse the contents files themselves. Can anyone confirm whether or not this would be possible?
Edit: Adjusted post to match Itay's comment.
This will get you the data for all sessions, stored in an array and indexed by session id:
<?php
$allSessions = [];
$sessionNames = scandir(session_save_path());
foreach($sessionNames as $sessionName) {
$sessionName = str_replace("sess_","",$sessionName);
if(strpos($sessionName,".") === false) { //This skips temp files that aren't sessions
session_id($sessionName);
session_start();
$allSessions[$sessionName] = $_SESSION;
session_abort();
}
}
print_r($allSessions);
Here's a more succinct way to get a list of sessions via the stored files:
<?php
print_r(scandir(session_save_path()));
?>
I used the #mgroat method in the ajax call, but there is a problem in the header of the HTTP response that the Set-Cookie header appears multiple times and jQuery reports an error:
Set-Cookie header is ignored in response from url:
mysite.com/admin/ajax/main_ajax. Cookie length should be less
than or equal to 4096 characters.
The solution is to add header_remove("Set-Cookie") right after session_start().
one of my php page returns data like this:
<?php
//...
echo "json string";
?>
but someone else use file_get_contents() to get my data and use in other website.
can anybody tell me what can i do to prevent such thing happen.
i consider if i can get the request's domain name to echo something else.but i dont know
the function to get request's domain name.and if the request is sent by a server,that
will be unhelpful. My English is poor, to express doubts, please bear with.
you can also use sessions. if somewhere in your application, before the user gets the json data, you start a session, then in this page where you are outputting json data, you can check for the session variable. this way only users that have passed the session generator page, can view your output.
suppose you have page A.php that generates the session. use this code before outputting anything in this page.
session_start();
$_SESSION['approvedForJson'] = true;
then in your page where you are outputting json data, before outputting anything, call session_start() again. the beginning of your PHP code is a good place to call it.
then before outputting the json data, check if the session variable for approved users exists, or not.
if ( isset($_SESSION['approvedForJson']) && $_SESSION['approvedForJson'] ) {
echo "json data";
} else {
// bad request
}
You can use $_SERVER['REMOTE_ADDR'] to get the address of the client address. You can also check $_SERVER['HTTP_REFERER'] and block external requests that way, but it's less reliable. There's probably a few other techniques involving $_SERVER that you can try.
Your fighting an uphill battle here. I am assuming your serverside process that responds in json is being consumed via javascript in your users browsers... so there is no easy way to encrypt it. You might try some of the techniques used to prevent xspf (see http://en.wikipedia.org/wiki/Cross-site_request_forgery ). If you developed the client to pass along some session token that is uniq per client you could reduce some of the problem. But, chances are whoever is stealing your data is gonna figure out whatever mechanism you put in place ... assuming this is some sort of ajax type thing. If its a server-server thing then as sli mentions, setting up some restrictions based on the remote ip would help, plus setting up some sort of API authentication tokens would help even more (see oauth for some pointers)
You could also using .htaccess with apache block every external request to the page if it get's called internally or block every request that is not from your domain:
Google search thingie
EDIT
You could also use some php file which includes the file which can not be read. So for example you have file.php:
<?php
$allowedFiles[] = 'somefile.php';
$allowedFiles[] = 'someotherFile.php';
$allowedFiles[] = 'jsonReturnFile.php';
if(in_array($_GET['file'], $allowedFiles)){
include( "include/".$_GET['file'] );
}
?>
Then you can allow file_ get _contents() on that file and write a rewriteRule in your .htacces to disallow any request to the include/ folder.
RewriteRule include* - [F,NC]
That will return a 403 forbidden error for a request to that directory or any file in the directory.
Then you can do you JSON request to something like: file.php?file=jsonReturnFile.php&someothherParamReadByJsonFile=1
And when someone tries to get the file contents for the JSON file they will get the forbidden error, and getting the file contents for the include.php won't return anything usefull.