Is there some equivalent of filter_input I can use with $_SESSIONas I would with $_POST?
When I tried it gives the error :
Warning: filter_input(): INPUT_SESSION is not yet implemented
session_start();
$x=filter_input(INPUT_SESSION, 'x');
if ($x){
echo $x;
}
php version: PHP Version 5.5.12-1+deb.sury.org~precise+1
I have the same problem like you. Maybe we are so rigorous but I solved the problem without compromising any security/filter.
I used filter_var instead of filter_input.
an example is like this:
session_start();
$_SESSION['baba'] = "co";
$ses = filter_var($_SESSION['baba']);
if (!empty($ses)) {
echo $ses;
}
Seems like $_SESSION doesnt work the same that $_SERVER.
After many combinations i had a similar issue. I'll leave some of my code after fixing so you can see the difference:
Here is the original code with warnings due to direct access to these variables
if ( (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] == false) ||
($_SESSION['REMOTE_ADDR'] != $_SERVER['REMOTE_ADDR']) ||
(!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] == false) ||
($_SESSION['HTTP_USER_AGENT'] != $_SERVER['HTTP_USER_AGENT'])
) {
header("Location: ../login.php");
}
Below is the code after including filters and cleared warnings
if ( (!isset($_SESSION['loggedin']) || (filter_var($_SESSION['loggedin']) == false)) ||
(filter_var($_SESSION['REMOTE_ADDR']) != filter_input(INPUT_SERVER,'REMOTE_ADDR')) ||
(!isset($_SESSION['loggedin']) || (filter_var($_SESSION['loggedin']) == false)) ||
(filter_var($_SESSION['HTTP_USER_AGENT']) != filter_input(INPUT_SERVER,'HTTP_USER_AGENT') )
) {
header("Location: ../login.php");
}
Related
I am trying to make some redirects to lock the page from having a different get variable from what i have defined. But the problem is that I am getting a redirect error which is
The page isn’t redirecting properly.
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies.
I tried different things but I could not solve this problem. I need your help please. It is to note that the variables w_news and the rest are coming from links on the page.
these are the following code which are in the header of the project:
// Redirect function
function redirect_to($redirect_link) {
header("Location: ". $redirect_link);
exit;
}
$redirect_link = "index.php?sec=w_news";
//if sec is empty i want to redirect to the above link
if (!isset($_GET['sec']) || isset($_GET['sec']) && $_GET['sec'] == "") {
redirect_to($redirect_link);
} else if (isset($_GET['sec']) && $_GET['sec'] != "w_news" || $_GET['sec'] != "pol" || $_GET['sec'] != "sci" || $_GET['sec'] != "tech" || $_GET['sec'] != "spo" || $_GET['sec'] != "covid19"){
// and if the value is not = to the named ones i want also to redirect
redirect_to($redirect_link);
}
Thank you in advance :)
<?php
if ($_GET['sec'] == "w_news" || $_GET['sec'] == "pol" || $_GET['sec'] == "sci" || $_GET['sec'] == "tech" || $_GET['sec'] == "spo" || $_GET['sec'] == "covid19")
{
// working validate
}
else
{
//failed redirect";
$redirect_link = "index.php?sec=w_news";
header("Location: ". $redirect_link);
}
?>
I want to check for my session. The code below works:
if ($_SESSION["rol"] != 'trainer') {
}
But this code doesnt work:
if ($_SESSION["rol"] != 'trainer' || 'commandant') {
}
It should check for both, because both have permission. What am I doing wrong?
Use this
if ($_SESSION["rol"] != 'trainer' || $_SESSION["rol"] != 'commandant') {
}
$role = ['trainer','commandant'];
if(!in_array($_SESSION['rol'],$role))
{
//do some stuff
}
I will probably do the following, where the isset ensures the key exists (and helps reduce warnings when the key is not available):
if (isset($_SESSION["rol"]) && ($_SESSION["rol"] != 'trainer' || $_SESSION["rol"] == 'commandant')) {
echo 'do some...';
}
array_key_exists is a nice alternative to using isset to check for keys:
if (array_key_exists('rol', $_SESSION) && ($_SESSION["rol"] != 'trainer' || $_SESSION["rol"] ==
'commandant')) {
echo 'do more...';
}
Hope that helps.
PS: #dexter solution with a in_array() will be better over time and easier to maintain.
I have some PHP code to check user login status which check if session variables are set or cookies are set. If either of condition is true then it grand permission otherwise redirect to login page. Code looks like this :
if(isset($_SESSION["userid"]) || isset($_COOKIE["userid"]) && isset($_SESSION["username"]) || isset($_COOKIE["username"]) && isset($_SESSION["password"]) || isset($_COOKIE["password"])){
} else {
header("location : register.php");
}
The problem is that if session get destroyed (by closing browser or any other reason) it redirect the user to login page. But what it has to do is read cookies data and grant user access as cookies are still present (I've checked that cookies are still present by echo cookie data).
&& has a higher precedence than ||, so you need to guard the || with brackets. Also, having an empty if statement is just redundant:
if(!(isset($_SESSION["userid"]) || isset($_COOKIE["userid"]) ||
!(isset($_SESSION["username"]) || isset($_COOKIE["username"])) ||
!(isset($_SESSION["password"]) || isset($_COOKIE["password"]))) {
header("location : register.php");
}
You need to change your condition a bit because you are confusing it within SESSION and Cookie. Put them together with && and separate them with || like below:-
if((isset($_SESSION["userid"]) && isset($_SESSION["username"]) && isset($_SESSION["password"])) || (isset($_COOKIE["userid"]) && isset($_COOKIE["username"]) && isset($_COOKIE["password"]))){
// your action that you want
} else {
header("location : register.php");
}
Note:- Take care that same things are going to applied everywhere (on each other pages and conditions), otherwise you will face problem.
Also more dependency on cookie is not good, because it can be changed by the user any time.
You need to add a couple of breakers to group your statements like this:
if(
( isset($_SESSION["userid"]) || isset($_SESSION["username"]) && isset($_SESSION["password"]) )
||
( isset($_COOKIE["userid"]) || isset($_COOKIE["username"]) && isset($_COOKIE["password"]) )
){
// Your action
} else {
header("location : register.php");
}
Such statement will check if there is set COOKIE or SESSION and check or user_id or user name AND password.
If you need AND user_id AND username than replace || in brackets between isset() functions for this fields.
I think your if condition is missing some parenthesis. To make your code more readable you could create two functions
function isSessionValid()
{
return isset($_SESSION["userid"]) && isset($_SESSION["username"]) && isset($_SESSION["password"]);
}
function isCookieValid()
{
return isset($_COOKIE["userid"]) && isset($_COOKIE["username"]) && isset($_COOKIE["password"]);
}
and then use these functions in your if statement :
if (isSessionValid() || isCookieValid()) {
} else {
}
This is code for Delete link:
<a href="picture_manager.php?do=delete&id=<?php print $picturedata['id']; ?>" >Delete</a>
This is my current database syntax:
if (array_key_exists('do', $_GET) && $_GET['do'] == "delete" && array_key_exists('id', $_GET))
{
$pictureid = trim(sanitize($_GET['id']));
if ($picture->delete($pictureid) === true)
{
header('Location: picture_manager.php?success=removed');
}
}
With code above, other user can delete others user picture like = picture_manager.php?do=delete&id=(victim).
Now I found solution to prevent abuse by other user, I change the old syntax as below:
This is my new database syntax:
if (!array_key_exists('id', $_GET) || $_GET['id'] == "" || $picture->pictureExists(trim(sanitize($_GET['id']))) === false || $picture->checkOwn($user->getUserID(trim(sanitize($_SESSION['key']))), trim(sanitize($_GET['id']))) === false)
{
header('Location: picture_manager.php');
}
else
{
$pictureid = trim(sanitize($_GET['id']));
if ($picture->delete($pictureid) === true)
{
header('Location: picture_manager.php?success=removed');
}
}
Sadly, it did not work "The page isn't redirecting properly - said firefox browser"
Looking for expert right now.
I found solution in below answer.
NOW EDIT:
Its difficult to me when I coded as below:
if (isset($_GET['do']) && $_GET['do'] == 'delete' && (!array_key_exists('id', $_GET) || $_GET['id'] == "" || $picture->pictureExists(trim(sanitize($_GET['id']))) === false || $picture->checkOwn($user->getUserID(trim(sanitize($_SESSION['key']))), trim(sanitize($_GET['id']))) === false))
{
header('Location: picture_manager.php');
}
else
{
$pictureid = trim(sanitize($_GET['id']));
if ($picture->delete($pictureid) === true)
{
header('Location: picture_manager.php?success=removed');
}
}
The file doesn't delete when I click i.e picture_manager.php?do=delete&id=6125
Whats wrong with my code?
infinite redirect, !array_key_exists('id', $_GET) will proceed always. you need add ?do=delete to validation, like
<?php if (isset($_GET['do']) && $_GET['do'] == 'delete' && (!array_key_exists('id', $_GET) || $_GET['id'] == "" || $picture->pictureExists(trim(sanitize($_GET['id']))) === false || $picture->checkOwn($user->getUserID(trim(sanitize($_SESSION['key']))), trim(sanitize($_GET['id']))) === false))
I want to know how to make a second "check" on what session is set. I am currently using this code:
<?php
session_start();
require_once("../user/connect.php");
include "getn.php";
if($_SESSION['username'] != 'RBLXDev') {
die('lol failure');
}
?>
My current username is RBLXDev, but I want to make it check if the current username (stored in a session named username) is something like "waffle_".
I believe how you do the and statement in PHP is ||, but I don't know how to add to that code.
You can use any Logical Operator in you if statement to perform 2 or more checks -
using or / || -
if($_SESSION['username'] != 'RBLXDev' or $_SESSION['username'] != '...') { }
if($_SESSION['username'] != 'RBLXDev' || $_SESSION['username'] != '...') { }
using and / && -
if($_SESSION['username'] != 'RBLXDev' and $_SESSION['username'] != '...') { }
if($_SESSION['username'] != 'RBLXDev' && $_SESSION['username'] != '...') { }
Welcome to SO!
if($_SESSION['username'] != 'RBLXDev' && $_SESSION['username'] != 'waffle_')
Please read into php's logical operators.