Hi i'm developing a multi steps form with php using session and i've been wondering if there is a way for the user to alter session variables for example on the first page i have something like this :
<?php
session_start();
if(isset($_POST['submit'])){
$_SESSION['name'] = $_POST['name'];//and so on
}
?>
and the other page has something like :
<?php
session_start();
$name = $_SESSION['name'];
?>
my question is can the user modify the value of the session variable on the second page
Since you're populating the session variable with the value of a POST variable, they can continue to resubmit the first form as much as they want with arbitrary values.
You can use application logic to defeat this:
<?php // form1
session_start();
if (empty($_SESSION['step'])) {
$_SESSION['step'] = 1;
}
if ($_SESSION['step'] > 1) {
header("Location: form2.php");
exit; // This exit is very important, don't neglect it
}
if (isset($_POST['submit'])){
$_SESSION['name'] = $_POST['name'];//and so on
$_SESSION['step'] = 2;
}
And then
<?php // form2
session_start();
if (empty($_SESSION['step'])) {
header("Location: form1.php");
exit;
}
if ($_SESSION['step'] > 2) {
header("Location: form3.php");
exit;
}
if ($_SESSION['step'] < 2) {
header("Location: form1.php");
exit;
}
$name = $_POST['name'];
By using application logic, you can control the flow of your visitors within your application.
If you're asking if users can change $_SESSION variables outside of any code you've written, the answer is usually no. See also: this answer.
Related
i have a $_sesstion['usermail']. i want to pass this value to next page.if condition match ($answer= $_SESSTION['usermail']);
if(isset($_POST['compair']))
{
echo $_SESSION['question'];
$_SESSION['usermail'];
$answer=$_POST['answer'];
if ($answer == $_SESSION['answer'])
{
header("Location:resetpass.php");
}
else
{
echo "<script>alert('Please Try again')</script>";
}
}
i want to pass $_sesstion['usermail'] value on resetpass.php page.
I think your logic is wrong here. What exactly are you checking in the if statement. A session variable means you can use it on every page that has session_start(); on top.
Sessions by default pass to other pages.
Make sure you have start_session(); on top of the page you want to access the session variable.
So if $_SESSION['usermail'] is working on your current page, it'll work on your next as well with same data.
Get an idea from this exmple
First Page
<?php
session_start();
$_SESSION['name'] = "Adam";
?>
Second page
<?php
session_start();
echo $_SESSION['name'];
?>
You can use GET methods for sharing your session value to next page...
if(isset($_POST['compair']))
{
echo $_SESSION['question'];
$_SESSION['usermail'];
$answer=$_POST['answer'];
if ($answer == $_SESSION['answer'])
{
$value_to_share=$_SESSION['usermail']; // You can share using GET
header("Location:resetpass.php?value=$value_to_share");
// receive this value at resetpass.php by $_GET['value']
}
else
{
echo "<script>alert('Please Try again')</script>";
}
}
I'm trying to get the variable from one page on my site to another using sessions but failing.
Example from page 1:
session_start();
$_session['error'] = "1";
Example from page 2:
session_start();
if ($_session['error'] == "1") {
print '<font color="#ff0000">You need to sign in with a username!</font>';
}
$_SESSION and $_session are two different variable one is basic variable and another is GLOBAL variable.
You need to the GLOBAL one. As you are using the variable in two different page so you have to go with the uppercase one that is $_SESSION. If you store at that variable you can access the variable from any page in the same domain with the help of session_start.
Solution:
Page_1.php
session_start();
$_SESSION['error'] = "1";
page_2.php
session_start();
if ($_SESSION['error'] == "1") {
print '<font color="#ff0000">You need to sign in with a username!</font>';
}
You need to use $_SESSION['error'] instead of $_session['error']. $_SESSION stores information in the session whereas $_session is just a variable on the page because it's lowercase. Thus your pages become
Example from page 1:
session_start();
$_SESSION['error'] = "1";
Example from page 2:
session_start();
if ($_SESSION['error'] == "1") {
print '<font color="#ff0000">You need to sign in with a username!</font>';
}
i m trying to redirect to attempt page if user fills incorrect information...
on the other hand if attempt page got refreshed want it to be redirected on login page...
i m using session for that...
if (isset($c))
{
$q = mysql_query("select * from registeration where email='$a' and password='$b'");
$r = mysql_num_rows($q);
if($r)
{
$_SESSION["Authenticated"] = 1;
$_SESSION['id'] = $a;
}
else
{
$_SESSION["Authenticated"] = 0;
$_SESSION["att"] = 1;
}
if(isset($_SESSION["att"]))
{
header("location:attempt1.php");
}
else
{
session_write_close();
header('location:profile.php');
}
}
the above mentioned code is redirecting on attempt1.php
but code on attempt1.php redirecting back to index.php
session_start();
if (!isset($_SESSION["att"]))
{
echo "<meta http-equiv=\"refresh\" content=\"0; url=index.php\">";
}
i want attempt1.php code to redirect on user on index.php if session is not set..
and destroy session on refresh or direct page load...
so that direct access to this page results in redirection to index page
please help friends..
ANSWER ANSWER ANSWER
all the questions i asked i made silly mistakes...
here in this question i had not started session wile storing session variables....
add the below code in first line of login script
session_start();
//try this code
<?php
session_start();
if (!isset($_SESSION["att"]))
{
header("location: index.php");
}
?>
I think your asking to redirect if a session doesn't exist, since a session requires an ID you should be able to check against that:
if(!(session_id()) header("Location: /mypage.php");
Try this:
if(empty($_SESSION))
{
header("Location: /mypage.php");
}
else
{
// do something ....
}
-
Thanks
my session keeps getting unset, whenever I refresh a page, but when I made a control test it seemed to work fine.
Control(Held data):
<?php
session_start();
echo(var_dump($_SESSION));
$_SESSION['name'] = 'john doe';
?>
Top of index.php
<?php
session_start();
echo(var_dump($_SESSION));
include('utils/utils.php');
?>
Login page:
<?php
session_start();
include('utils.php');
if(isset($_POST['email']) && isset($_POST['password'])){
$email = filter($_POST['email']);
$password = getPwd(filter($_POST['password']));
if(!isset($_SESSION['email']) && !isset($_SESSION['password'])){
if(isAccount($email, $password)){
$key = genAuthKey();
$_SESSION['email'] = $email;
$_SESSION['auth_key'] = $key;
mysql_query("update `users` set `auth-key`= '$key' where `email`='$email'") or die(mysql_error());
print("ok");
}else {
print('error');
}
}else {
print('error');
logOut();
}
}else {
print('error');
}
?>
The code is getting fired, because it updated the auth-key in the table. I honestly have no idea what the issue is.
Also, the session is unset when I reload the index page.
I've got some more information. The pages can hold session data, and retain it, but once another page using session is loaded, it will unset all data.
Check if you use Unicode encoded PHP files with BOM.
PHP is not aware of the BOM. The BOM results in an output before your first <?php so PHP fails to set the related HTTP header for the session cookie.
From the docs:
To use cookie-based sessions, session_start() must be called before
outputing anything to the browser.
How it should work:
Index.php is the secured page. It includes check.php, which checks if you have a session = good. If it hasn't, you're not logged in -> log off, remove session. But it doesn't work, it always logs off, like I didn't log in...
index.php
include ‘check.php’;
echo "logged in";
check.php
session_start();
if($_SESSION[‘login’] != ‘good’) {
unset($_SESSION[‘login’]);
unset($_SESSION[‘name’]);
header(‘Location: login.php?logoff’);
exit();
}
Login.php
if(isset($_POST[‘login’])) {
$gb = array();
$gb[‘user1’] = ‘pass1’;
$gb[‘user2’] = ‘pass2’;
if(isset($gb[$_POST[‘username’]]) && $gb[$_POST[‘username’]] == $_POST[‘password’])
{
$_SESSION[‘login’] = ‘good’;
$_SESSION[‘name’] = $_POST[‘name’];
header("Location: index.php");
} else {
header("Location: login.php?wrongpass");
}
} else { ?>
Login Form
<?php } ?>
I hope someone can help me!
You should verify you started the session in login.php.
Put session_start(); in all the pages
You need to have session_start() at the top of all the pages, you havent shown the session start for your login page.
(Thanks to Danny for proving I cant type)
Check that you have register_globals is On in your php.ini
First check on the pages you want to use session variables session is start or not and if session is not stat then start it.
and this is the very first line in the php file.
Code for the session checking is :
if(!session_id())
{
session_start();
}
if($count==1){
session_start();
$_SESSION['Username'] = $UserName;
$_SESSION['Password'] = $password;
UpdateOnlineChecker($Session);
header( "Location: http://". strip_tags( $_SERVER ['HTTP_HOST'] ) ."/newHolo/" );
exit;
}
else {
echo "Wrong Username or Password";
}
Look at my code. It checks if the statement is true (for me, if there is one row with a query statement i execute). Then i start a session and basically Ill define global session variables, sned out a query to my database to update the session and then refer through.
you are missing a session_start(); in your if true block.
Use one for action document such as index.php there is code:
session_start();
if(isset($_POST['login']) && isset($_POST['password'])){
// login
header('Location: (here is some page)');
}
if(!isset($_SESSION['user']){
// #todo some action
} else {
require_once('login.php');
}
if(isset($_GET['logout'])){
unset($_SESSION['user']);
header('Location: (here is some page)');
}
I think problem is header:
('location:------.php);
Your hosting server doesn't run this.
You can use this:
echo "<script>window.location.href='-----.php'</script>";