Supposing that there is a file on PHP. The file is constantly being read.
I want to stop users from accessing the file first, then delete or edit the file.
How can I do this?
Please refer to this answer.
file locking in php
That covers the locking part. However, to access the file you need to do a loop until the lock is released. Here is a sample algorithm.
define(MAX_SLEEP, 3); // Decide a good value for number of tries
$sleep = 0; // Initialize value, always a good habit from C :)
$done = false; // Sentinel value
$flock = new Flock; // You need to implement this class
do {
if (! $flock->locked()) { // We have a green light
$flock->lock(); // Lock right away
//DO STUFF;
$flock->unlock(); // Release the lock so others can access
$done = true; // Allows the loop to exit
} else if ($sleep++ > MAX_SLEEP) { // Giving up, cannot write
// Handle exception, there are many possibilities:
// Log exception and do nothing (definitely log)
// Force a write
// See if another process has been running for too long
// Check for timestamp of the lock file, maybe left behind after a reboot
} else {
sleep(SLEEP_TIME);
}
} while(! $done);
In this chunk of code it was previously designed to use the session_id. I am trying to convert from using the session_id to using a User ID that is retrieved from the database. I'm not sure what I did wrong but the function is not returning the variable. Any suggestions would be appreciated.
protected function get_user_id() {
//previous code used the session id
//#session_start();
//return session_id();
// New code to use User ID instead of session_id
// Connecting to the database
include ("../../../admin/includes/connect.php");
// Let's get the user ID from the database for use with the widget
$user_id_query = "SELECT nonadmin_user_id FROM `nonadmin_user_login` WHERE email = '$_SESSION[email]'";
$run_query = mysqli_query($conn, $user_id_query);
while($row=mysqli_fetch_array($run_query)){
// Create variable for the user's id
$nonadmin_user_id = $row['nonadmin_user_id']; }
return $nonadmin_user_id;
}
// This function needs to use the variable $nonadmin_user_id
protected function get_user_path() {
if ($this->options['user_dirs']) {
return $this->get_user_id().'/';
}
return '';
}
"Fred you're the man! It was the session. I removed the comment out from in front of the session start and now it works perfect. What baffles me on this is I was under the impression that if you start a session in a file and then include other files the included files did not require the session to be started."
The session needs to be started in order for the session array to be recognized and passed successfully in your query.
Plus, session_start(); is required to be resident inside all files using sessions.
http://php.net/manual/en/function.session-start.php
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Error reporting should only be done in staging, and never production.
For example:
If anyone fails at the login function (for example: enters wrong password) on my webpage, i want to show an error-message at the webpage. My idea was like that:
if(doLogin()) {
//....
}else {
$GLOBAL['errorLogin'] = "Wrong Userdata";
}
and then echo the global-variable in the .html.
But i searched also for this topic and found only this method, but everyone had used the $_SESSION variable for this instead of $GLOBAL.
Is my variant with the $GLOBAL varible wrong or bad practise?
And why use $_SESSION for a error-message, if i only echo the message one time and don't need it in the next request?
I think you mean $GLOBALS (notice the s) which is a suber global variable and therefore can be accessed from anywhere in the PHP script (also from within functions or methods).
There is nothing wrong about that.
I don't think that you should use the $_SESSION variable for that, because the user needs to see the error message only one time. In your case, and in most cases, that's why it might make no sense to store it in a session.
Personally, I just would use a custom errorMessage-Array, like that:
//store all Error Messages in one array.
$errorMessages = array();
if(doLogin()) {
//....
}else {
$errorMessages["Login"] = "Wrong Userdata";
}
//...
foreach($errorMessages as $key=>$message){
echo $key.": ".$message."<br>";
}
This question already has answers here:
Check if PHP session has already started
(27 answers)
Closed 1 year ago.
Per request, there are a few different ways that you can tell whether or not a session has been started, such as:
$isSessionActive = (session_id() != "");
Or:
$isSessionActive = defined('SID');
However, these both fail if you start a session, then close it; session_id() will return the prior session's ID, while SID will be defined. Likewise, calling session_start() at this point will generate an E_NOTICE if you already have a session active. Is there a sane way to check if a session is currently active, without having to resort to output buffering, the shut-up operator (#session_start()), or something else equally as hacky?
EDIT: I wrote a patch to try to get this functionality included in PHP: http://bugs.php.net/bug.php?id=52982
EDIT 8/29/2011: New function added to PHP 5.4 to fix this: "Expose session status via new function, session_status"
// as of 8/29/2011
$isSessionActive = (session_status() == PHP_SESSION_ACTIVE);
EDIT 12/5/11: session_status() on the PHP manual.
See edits to the original question; basically, PHP 5.4 and above now has a function called session_status() to solve this problem!
"Expose session status via new function, session_status" (SVN Revision 315745)
If you need this functionality in a pre-PHP 5.4 version, see hakre's answer.
I worked around this by adding a couple wrapper functions around the various session creation/closing/destroying functions. Basically:
function open_session() {
session_start();
$_SESSION['is_open'] = TRUE;
}
function close_session() {
session_write_close();
$_SESSION['is_open'] = FALSE;
}
function destroy_session() {
session_destroy();
$_SESSION['is_open'] = FALSE;
}
function session_is_open() {
return($_SESSION['is_open']);
}
Hackish, but accomplished what I needed.
I'm running into this as well, and a setting in $_SESSION is not an option for me. For PHP 5.3.8:
If any session has been started with the request, define('SID') will return FALSE, as well as $_SESSION is unset.
This is independent whether or not session_id() has been used to set a session id or not.
After the first session_start(), SID is defined and $_SESSION is set to an empty array.
session_destroy() does unset the session_id(), it's an empty string then. SID will remain defined (and set to it's previous value which might be an empty string). $_SESSION is left unchanged. It will get reset/populated next time session_start is called.
With these states, especially as session_id() can be called in between to set the id for the next session, it's not possible to safely determine the session status with SID, $_SESSION and session_id().
"Trying" with session_start() (e.g. with #) might not be really helpful, as this will change the session status and changing the contents of $_SESSION (and adding a set-cookie header if the cookie was not part of the request). It was not fitting in my case.
While I was running tests, I came across the behaviour, that you can not try to change the ini setting of session.serialize_handler when the session is active, not even when you set it to the same value. Same is true for session.use_trans_sidDocs which is more lightweight. This lead me to the following function:
/**
* #return bool
*/
function session_is_active()
{
$setting = 'session.use_trans_sid';
$current = ini_get($setting);
if (FALSE === $current)
{
throw new UnexpectedValueException(sprintf('Setting %s does not exists.', $setting));
}
$result = #ini_set($setting, $current);
return $result !== $current;
}
As far as I can see, the error is checking for active session status only (not disabled), so this should not return a false positive when sessions are disabled.
To get this function compatible with PHP 5.2, it needs a little modification:
/**
* #return bool
*/
function session_is_active()
{
$setting = 'session.use_trans_sid';
$current = ini_get($setting);
if (FALSE === $current)
{
throw new UnexpectedValueException(sprintf('Setting %s does not exists.', $setting));
}
$testate = "mix$current$current";
$old = #ini_set($setting, $testate);
$peek = #ini_set($setting, $current);
$result = $peek === $current || $peek === FALSE;
return $result;
}
Some sandbox.
The following code only dumps one session_id() for me, not two
session_start();
echo session_id();
session_destroy();
echo session_id();
If you're having difficulties with this still you can try creating a variable to check, that you destroy when you destroy the session.
session_start();
$_SESSION['intialized'] = 'This will not print';
$_SESSION = array(); // Unset all variables
session_destroy();
echo $_SESSION['initialized']; // No output
Here's a good drop in replacement that won't break stuff when you move to 5.4:
if(!function_exists('session_status')){
function session_active(){
return defined('SID');
}
}else{
function session_active(){
return (session_status() == PHP_SESSION_ACTIVE);
}
}
Ken, if the session is destroyed, the $_SESSION array should not be available...or at the very least, your values should be unset. So, in theory (untested) you should be able to check the array for a value to know if anything is currently set.
There are multiple places you need to check to verify the session is active:
1- cookie exists and is not expired
2- underlying session storage mechanism (file system or database) has a record matching the cookie.
I have run into a very interesting problem trying to debug my custom PHP session handler. For some reason unknown to me I can set cookies all the way through the session handler right up until the very start of the write function.
As far as I know session handler calls go in this order.
open -> read -> write -> close
The open function sets a cookie just fine.
function open($save_path,$session_name)
{
require_once('database.php');
require_once('websiteinfo.php');
mysql_connect($sqllocation,$sql_session_user,$sql_session_pass);
#mysql_select_db($sql_default_db);
date_default_timezone_set('America/Los_Angeles');
setcookie("test","test");
return TRUE;
}
The read function can set a cookie right up until the very moment it returns a value.
function read($session_id)
{
$time = time();
$query = "SELECT * FROM 'sessions' WHERE 'expires' > '$time'";
$query_result = mysql_query($query);
$data = '';
/* fetch the array and start sifting through it */
while($session_array = mysql_fetch_array($query_result))
{
/* strip the slashes from the session array */
$session_array = $this->strip($session_array);
/* authenticate the user and if so return the session data */
if($this->auth_check($session_array,$session_id))
{
$data = $session_array['data'];
}
}
setcookie("testcookie1","value1",time()+1000,'/');
return $data;
}
The very first line of the write function is setting another cookie and it cannot because the headers are already sent.
From the manual for session_set_save_handler():
Note: The "write" handler is not
executed until after the output stream
is closed. Thus, output from debugging
statements in the "write" handler will
never be seen in the browser. If
debugging output is necessary, it is
suggested that the debug output be
written to a file instead.
Essentially, writing changes to session data (calling the registered session write function) does not happen until PHP is almost completely done with its execution cycle. By this time, all your output has already been sent and it is not possible to modify the header information, so setcookie() won't work.
You can have it write data earlier by using session_write_close().