I need help with the class below - its not writing to the database and I have no idea why. I know the "read" method is called, but not the "write" method :S
This is the code I'm using:
require '../application/database.php';
$db = new Database('localhost', 'root', '', 'gemgale');
require '../application/session.php';
$session = new Session($db);
session_set_save_handler(
array(&$session, 'open'),
array(&$session, 'close'),
array(&$session, 'read'),
array(&$session, 'write'),
array(&$session, 'destroy'),
array(&$session, 'clean')
);
session_start();
var_dump($session);
$_SESSION['something'] = "gem";
var_dump($_SESSION);
#$session->delete();
#var_dump($_SESSION);
and this is the class ...
class Session
{
###########################################################################
private $expiry = 3600;
private $securityCode = "gnvriev847e8grdinvrdg5e8g4r7fr7rdvreh8^£*^£FGgyhf";
private $tableName = "session_data";
###########################################################################
private $dbh;
function __construct(Database $db)
{
$this->dbh = $db->getConnection();
ini_set('session.cookie_lifetime', 0);
ini_set('session.gc_maxlifetime', $this->expiry);
}
function open($save_path, $session_name)
{
return true;
}
function close()
{
return true;
}
function read($session_id)
{
echo $session_id;
print "READING";
$time = time();
$hua = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
$hua = $hua . $this->securityCode;
$hua = md5($hua);
try {
$stmt = $this->dbh->prepare("
SELECT session_data
FROM :tableName
WHERE session_id = :sesID
AND session_expire > :time
AND http_user_agent = :hua
LIMIT 1
");
$stmt->bindParam("tableName", $this->tableName);
$stmt->bindParam("sesID", $session_id);
$stmt->bindParam("time", $time);
$stmt->bindParam("hua", $hua);
$stmt->execute();
} catch (PDOException $e) {
echo $e->getMessage();
return false;
}
$rs = $stmt->fetch();
if (!$rs)
return '';
else
return $rs['session_data'];
}
function write($session_id, $session_data)
{
print "WRITING";
$expiry = time() + $this->expiry;
$hua = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
$hua = $hua . $this->securityCode;
$hua = md5($hua);
try {
$stmt = $this->dbh->prepare("
INSERT INTO :tableName (
session_id,
http_user_agent,
session_data,
session_expiry
)
VALUES (
:sessID,
:hua,
:sdata,
:expiry
)
ON DUPLICATE KEY UPDATE
session_data = :sdata,
session_expire = :expiry
");
$stmt->bindParam("tableName", $this->tableName);
$stmt->bindParam("sessID", $session_id, PDO::PARAM_STR);
$stmt->bindParam("hua", $hua);
$stmt->bindParam("sdata", $session_data, PDO::PARAM_STR);
$stmt->bindParam("expiry", $expiry);
$stmt->execute();
} catch (PDOException $e) {
echo $e->getMessage();
return false;
}
if ($stmt->rowCount() > 1)
return true;
else
return '';
}
function destroy($session_id)
{
try {
$stmt = $this->dbh->prepare("
DELETE FROM :tableName
WHERE session_id = :id
");
$stmt->bindParam("tableName", $this->tableName, PDO::PARAM_STR);
$stmt->bindParam("id", $session_id, PDO::PARAM_STR);
$stmt->execute();
} catch (PDOException $e) {
echo $e->getMessage();
return false;
}
return true;
}
function clean($maxLifeTime)
{
try {
$x = time() - $maxLifeTime;
$stmt = $this->dbh->prepare("
DELETE FROM :tableName
WHERE session_expire < :x
");
$stmt->bindParam("tableName", $this->tableName, PDO::PARAM_STR);
$stmt->bindParam("x", $x, PDO::PARAM_INT);
$stmt->execute();
} catch (PDOException $e) {
die($e->getMessage());
}
return true;
}
function delete()
{
$oldID = session_id();
session_regenerate_id();
$this->destroy($oldID);
session_unset();
session_destroy();
}
function getActive()
{
$this->clean($this->expiry);
try {
$stmt = $this->dbh->prepare("
SELECT COUNT(session_id) as count
FROM :tableName
");
$stmt->bindParam("tableName", $this->tableName, PDO::PARAM_STR);
$stmt->execute();
$rs = $stmt->fetch();
return $rs['count'];
} catch (PDOException $e) {
die($e->getMessage());
}
}
}
Hope you guys can help :)
Thanks,
Gem
One, you don't need to pass by reference. Do this instead:
session_set_save_handler(
array($session, 'open'),
array($session, 'close'),
array($session, 'read'),
array($session, 'write'),
array($session, 'destroy'),
array($session, 'clean')
);
To test if the save/write is working, you could try this:
session_start();
$_SESSION['something'] = "gem";
session_write_close();
echo "- Foo";
This should trigger a write to the session store and flush anything to be written. In this case it should display WRITING- Foo if your write method is being called.
If the DB is not being written, but the method is being called, there are other issues.
The first thing I'd look at is the :tableName you're replacing in the prepared statement. You cannot prepare-replace column names or tables. Change your statement to this:
$stmt = $this->dbh->prepare("
INSERT INTO ".$this->tableName." (
session_id,
http_user_agent,
session_data,
session_expiry
)
VALUES (
:sessID,
:hua,
:sdata,
:expiry
)
ON DUPLICATE KEY UPDATE
session_data = :sdata,
session_expire = :expiry
");
If you do substitue in variables for table names or columns, make sure you whitelist them before using to be safe against opening an injection hole.
Related
I'm currently learning php and trying to write session data to my database without success.
I have a setup with Apache24, PHP 7 environment and Postgresql database.
When I instantiate sessionhandling class ($sess = new sessionhandling) in my other PHP file nothing is written to database. However, when I pass variable to and call the write function ($sess->write), data is written to the database.
(Hope this is not a duplicate of any other questions raised. Done a lot of searches on Stackoverflow and Google, but not found any answers that solve my challenge)
My session handler code is as follows:
<?php
Include(dirname(__DIR__).'\Userstories\db\Connection.php');
class sessionhandling extends Connecting implements SessionHandlerInterface {
public function __construct(){
// Set handler to overide SESSION
session_set_save_handler(
array(&$this, "open"),
array(&$this, "close"),
array(&$this, "read"),
array(&$this, "write"),
array(&$this, "destroy"),
array(&$this, "gc")
);
register_shutdown_function('session_write_close');
// Start the session
session_start();
session_write_close;
}
public function open($save_path, $id) {
if(self::get()->connect()) {
return true;
} else {
return false;
}
}
public function close() {
if(self::get()->connect()->pdo = Null) {
return true;
} else {
return false;
}
}
public function read($id) {
//$pdo = Connecting::get()->connect();
$ipdo = self::get()->connect();
$q_udata = "SELECT data FROM sessions WHERE id=:id";
$stmt=$ipdo->prepare($q_udata);
$stmt->bindvalue(':id', $id);
$stmt->execute();
if($stmt->execute()) {
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$ipdo = NULL;
return $row['data'];
} else {
$ipdo = NULL;
return '';
}
}
public function write($id, $data){
$id = (string) $id;
$data = (string) $data;
$access = time();
$ipdo = self::get()->connect();
$c_id = "SELECT id FROM sessions WHERE id=:id";
$stmt=$ipdo->prepare($c_id);
$stmt->bindvalue(':id', $id);
$stmt->execute();
$idarray=$stmt->fetch(PDO::FETCH_ASSOC);
$row_id = $idarray['id'];
if(empty($row_id)) {
$sessionids = 'INSERT INTO sessions(id, data, access) VALUES(:id, :data, :access)';
$stmt = $ipdo->prepare($sessionids);
$stmt->bindvalue(':id', $id);
$stmt->bindvalue(':access', $access);
$stmt->bindvalue(':data', $data);
$stmt->execute();
session_write_close();
} else {
$rep_data = "UPDATE sessions SET data = :data, access = :access WHERE id = :id";
$stmt=$ipdo->prepare($rep_data);
$stmt->bindvalue(':id', $id);
$stmt->bindvalue(':access', $access);
$stmt->bindvalue(':data', $data);
$stmt->execute();
session_write_close();
}
if($stmt->execute()) {
$ipdo = NULL;
return true;
} else {
$ipdo = NULL;
return false;
}
}
public function destroy($id) {
$ipdo = self::get()->connect();
$del_data = "DELETE FROM sessions WHERE id =:id";
$stmt = $ipdo->prepare($del_data);
$stmt->bindvalue(':id', $id);
$stmt->execute();
if($stmt->execute()) {
$ipdo = NULL;
return true;
} else {
$ipdo = NULL;
return false;
}
}
public function gc($max) {
$old = time() - $max;
$ipdo = self::get()->connect();
$cleanup = "DELETE * FROM sessions WHERE access < :old";
$stmt = $ipdo->prepare($cleanup);
$stmt->bindvalue(':old', $old);
$stmt->execute();
if($stmt->execute()) {
$ipdo = NULL;
return true;
} else {
$ipdo = NULL;
return false;
}
}
}
?>
When I remove the 'implements SessionHandlerInterface' sessionhandling class and remove the parameters $save_path, $id from open function, I get the following error: "Warning: session_start(): Failed to read session data: user (path: ) in C:\Users\Public\Server\Apache24\htdocs\Userstories\sessionhandling.php on line 19"
Is it reuiqred to define the $save_path when using DB for session handling? If so, what should the $save_path be?
Any advise on how to get my session handler to write to DB is very much appreciated.
I made ut work by changing my read function to this and ensuring that a string is returned:
public function read($id) {
//$pdo = Connecting::get()->connect();
$ipdo = self::get()->connect();
$q_udata = "SELECT data FROM sessions WHERE id=:id";
$stmt=$ipdo->prepare($q_udata);
$stmt->bindvalue(':id', $id);
$stmt->execute();
if($stmt->execute()) {
$row = $stmt->fetch(\PDO::FETCH_ASSOC);
$ipdo = NULL;
$data = $row['data'];
return (string) $data;
} else {
$ipdo = NULL;
return '';
}
}
I know this has been pointed out in other posts, but I thought that my $data = $row['data'] would return a string in the first place.
I make users online page using PHP - OOP - PDO
include_once '../database.php';
$db = new database();
$getRows = $db->getRows('select * from visitors_online');
$gr = $db->rowCount();
$online = '';
$getRow = $db->getRow('select * from user_online');
$gr2 = $db->rowCount();
if(!empty($gr2)) {
try {
while ($getR = $getRow){
$getRow = $db->getRow('select * from users where id = ?',[$getR['session']]);
echo ',   '.$getRow['username'].'   ';
}
} catch (PDOException $e) {
die('Error :'. $e->getMessage());
}
$total = $gr + $gr2;
The problems is:
* Not show any users except Admin, also I got this :
ONLINE
admin
Notice: Undefined index: session in /Applications/MAMP/htdocs/baws/admin/online.php on line 56
,
.Users = 0 ,Member = 2 , Register = 2
Who is online list
Here is the function from Database class
// Get row by id, username, or email etc..
public function getRow($query, $para = []){
try {
$this->stmt = $this->datab->prepare($query);
$this->stmt->execute($para);
return $this->stmt->fetch();
} catch (PDOException $e) {
throw new Exception($e->getMessage());
}
}
Any Help
Thanks
I tried to simplify a bit your code as I do not know your class details and it s messy.
The problem is you are not binding stuff properly neither fetching them properly too. Also, you are preparing the second query, each time you loop inside the query 1 results , that is useless. prepare both (withyour class or not) and just bind and execute.
$stmt1 = $db->prepare('select * from user_online where id= ?');
$result1 = getRows($stmt1, "1");
$gr1 = $db->rowCount();
if (!empty($gr1)) {
$stmt2 = $db->prepare('select * from users where id = ?');
foreach ($result1 as $key1 => $h1) {
$stmt2->bindParam(1, $h1['session'], PDO::PARAM_INT);
$stmt2->execute();
$result2 = $stmt2->fetchAll(PDO::FETCH_ASSOC);
if (count($result2) !== 0) {
foreach ($result2 as $key2 => $r2) {
echo ',   ' . $r2['username'] . '   ';
}
}
}
}
function getRow($query, $para) {
$stmt1->bindParam(1, $para, PDO::PARAM_INT);
try {
$stmt1->execute($para);
$result1 = $stmt1->fetchAll(PDO::FETCH_ASSOC);
return $result1;
} catch (PDOException $e) {
throw new Exception($e->getMessage());
}
}
Please find the database class here
class database {
public $isConn;
protected $datab;
private $stmt;
public function __construct() {
$this->connect();
}
// connect to database
private function connect(){
$host = 'localhost';
$db = 'baws';
$user = 'root';
$pass = 'root';
$option = [];
$this->isConn = TRUE;
try {
$this->datab = new PDO('mysql:host='.$host.';dbname='.$db.';charset=utf8', $user, $pass, $option);
$this->datab->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$this->datab->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
} catch (PDOException $e) {
echo '<h3>Not connected</h3>' . $e->getMessage();
}
}
// Disconnected from database
private function disconnect(){
$this->isConn = NULL;
$this->datab = FALSE;
}
//insert to database
public function insertRow($query, $para = []){
try {
$this->stmt = $this->datab->prepare($query);
$this->stmt->execute($para);
return TRUE;
} catch (PDOException $e) {
throw new Exception($e->getMessage());
}
}
//update row to database
public function updateRow($query, $para = []){
$this->insertRow($query, $para);
}
//Delete row from database
public function deleteRow($query, $para = []){
$this->insertRow($query, $para);
}
// Get row by id, username, or email etc..
public function getRow($query, $para = []){
try {
$this->stmt = $this->datab->prepare($query);
$this->stmt->execute($para);
return $this->stmt->fetch();
} catch (PDOException $e) {
throw new Exception($e->getMessage());
}
}
}
online.php Page
ob_start();
echo "ONLINE <br>";
include_once '../database.php';
$db = new database();
try {
$session=$_COOKIE['id'];
$time=time();
$time_check=$time-300; //SET TIME 10 Minute
$getRow = $db->getRow("SELECT * FROM user_online WHERE session = ?", [$session]);
$count =$db->rowCount($getRow);
if($count == '0'){
$insertRow = $db->insertRow("INSERT INTO user_online(session, time)VALUES(? , ?)",[$session, $time ]);
}
elseif($count != '0'){
$updateRow = $db->updateRow("UPDATE user_online SET time = ? WHERE session = ?", [$time, $session]);
}else{
$deleteRow = $db->deleteRow("DELETE FROM user_online WHERE time < ? ", [$time_check]);
}
} catch (PDOException $e) {
die('Error :'. $e->getMessage());
}
try {
$ip=$_SERVER['REMOTE_ADDR'];
$session=$ip;
$time=time();
$time_check=$time-300; //SET TIME 10 Minute
$deleteRow = $db->deleteRow("DELETE FROM visitors_online WHERE time < ? ", [$time_check]);
} catch (PDOException $e) {
throw new Exception($e->getMessage());
}
$getRows = $db->getRows('select * from visitors_online');
$gr = $db->rowCount();
$online = '';
$getRow = $db->getRow('select * from user_online');
$gr2 = $db->rowCount();
if(!empty($gr2)) {
try {
while ($getR = $getRow){
$getRow = $db->getRow('select * from users where id = ?',[$getR['session']]);
echo ',   '.$getRow['username'].'   ';
}
} catch (PDOException $e) {
die('Error :'. $e->getMessage());
}
$total = $gr + $gr2;
} //end
I am in the process of learning PDO and am trying to implement it in my current project. When I used mysqli, I could get detailed info about any error using mysqli_error($connection). I googled at what the comparable for PDO would be and found this post, and decided to implement it in my code. However, I am unable to get any error messages even when I know there is an obvious error in the sql statement.
Relevant code:
class Database {
public $connection;
function __construct() {
$this->open_database_connection();
}
public function open_database_connection() {
try {
$this->connection = new PDO('mysql:host=' . DB_HOST . ';dbname=' . DB_NAME, DB_USER, DB_PASSWORD);
$this->connection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$this->connection->setAttribute( PDO::ATTR_EMULATE_PREPARES, false);
} catch(PDOException $e) {
echo $e->getMessage();
die('Could not connect');
}
} // end of open_database_connection method
public function query($sql, $params = []) {
try {
$query = $this->connection->prepare($sql);
} catch (Exception $e) {
var_dump('mysql error: ' . $e->getMessage());
}
foreach($params as $key => $value) {
if ($key === ':limit') {
$query->bindValue($key, $value, PDO::PARAM_INT);
} else {
$query -> bindValue($key, $value);
}
}
try {
$query->execute();
} catch(Exception $e) {
echo 'Exception -> ';
var_dump($e->getMessage());
}
/*
DID NOT WORK:
if (!$query->execute()) {
print_r($query->errorinfo());
}*/
$result = $query->fetchAll(PDO::FETCH_ASSOC);
$this->confirm_query($result);
return $result;
} // end of query method
function confirm_query($query) {
if (!$query) {
die('mysql error: ');
}
}
When I run the code, I do get the "mysql error", but I do not get any details about it. What am I doing wrong?
Update: As requested, I am providing additional details below.
What I am trying to do is get the user's login detail to be verified. To that end, once the user inputs his credentials , this code runs:
if (isset($_POST['submit'])) {
$username = trim($_POST['username']);
$password = trim($_POST['password']);
//check the database for the user
$user_found = User::verify_user($username, $password);
Relevant code from the User class:
public static function verify_user($username, $password) {
global $db;
$username = $db->escape_string($username);
$password = $db->escape_string($password);
$values = [ ":username" => $username,
":password" => $password,
":limit" => 1
];
$result_array = self::find_this_query("SELECT * FROM users WHERE username=:username AND password=:password LIMIT :limit", true, $values);
return !empty($result_array)? array_shift($result_array) : false;
}
public static function find_this_query($sql, $prepared = false, $params = []) {
global $db;
$the_object_array = array();
$result = $db->query($sql, $params);
$arr_length = count($result);
for ($i = 0; $i < $arr_length; $i++) {
$the_object_array[] = self::instantiation($result[$i]);
}
return $the_object_array;
}
public static function instantiation($the_record) {
$the_object =new self; //we need new self because $the_record corresponds to one user!
foreach($the_record as $the_attribute => $value) {
if ($the_object->has_the_attribute($the_attribute)) {
$the_object->$the_attribute = $value;
}
}
return $the_object;
}
public function has_the_attribute($attribute) {
$object_properties = get_object_vars($this);
return array_key_exists($attribute, $object_properties);
}
You have to use PDO::errorInfo():
(...)
public function query($sql, $params = []) {
try {
$query = $this->connection->prepare($sql);
if( !$query )
{
$error = $this->connection->errorInfo();
die( "mysql error: {$error[2]}" );
}
} catch (Exception $e) {
var_dump('mysql error: ' . $e->getMessage());
}
(...)
}
PDO::errorInfo returns an array:
Element 0: SQLSTATE error code (a five characters alphanumeric identifier defined in the ANSI SQL standard);
Element 1: Driver-specific error code;
Element 2: Driver-specific error message.
Thanks for your help in advance.
I have just migrated my webserver from apache to nginx. Session information was happily being stored in the database previously, now for some reason they are writing to the /tmp directory.
Here is the code to set the session handler:
session_write_close();
$sess = new sessionHandler();
session_set_save_handler(array($sess, 'open'),
array($sess, 'close'),
array($sess, 'read'),
array($sess, 'write'),
array($sess, 'destroy'),
array($sess, 'gc'));
register_shutdown_function('session_write_close');
session_start();
$cookieLifetime = 365 * 24 * 60 * 60;
setcookie(session_name(),session_id(),time()+$cookieLifetime);
and here is the session handler class:
class appSessionHandler {
private $db;
public function open($save_path, $session_name) {
$this -> db = new appSql();
return true;
}
public function close() {
$this -> db -> close();
}
function read($id) {
// Create Memcache Class
$memcache = new memcacher();
var_dump('123');
// Check Memcache
$memcache->key = 'session-' . $id;
$memcache->get();
// If results is in memcache
if ($memcache->result != false){
$res = $memcache->result;
return $res;
}
// Else get the result from sql and update cache
else{
$this->open();
$this->db->sqlQuery = "SELECT data FROM session WHERE id = :id";
$this->db->params = array('id' => $id);
$res = $this->db->sqlQuery();
if (count($res) >= 1){
$memcache->input = $res[0]->data;
$memcache->duration = 2000;
$memcache->set();
return $res[0]->data;
}
return '';
}
}
function write($id, $data) {
$access = time();
$this->open();
// Create Memcache Class
$memcache = new memcacher();
// Check Memcache
$memcache->key = 'session-' . $id;
$memcache->input = $data;
$memcache->duration = 2000;
$memcache->set();
$this->db->sqlQuery = "REPLACE INTO session VALUES (:id, :access, :data)";
$this->db->params = array('id' => $id, 'access' => $access, 'data' => $data);
return $this->db->sqlQuery();
}
function destroy($id) {
// Delete From SQL
$this->open();
$this->db->sqlQuery = "DELETE FROM session WHERE id = :id";
$this->db->params = array('id' => $id);
// Create Memcache Class
$memcache = new memcacher();
// Check Memcache
$memcache->key = 'session-' . $id;
$memcache->delete();
return $this->db->sqlQuery();
}
function gc($max) {
$old = time() - $max;
$this->open();
$this->db->sqlQuery = "DELETE FROM session WHERE access < :old";
$this->db->params = array('old' => $old);
return $this->db->sqlQuery();
}
public function killUserSession($username){
$this->open();
$this->db->sqlQuery = "delete from session where data like('%userID|s:%\" :username %\";first_name|s:%')";
$this->db->params = array('username' => $username);
$this->db->sqlQuery();
}
}
I am lost!
Today i tired pass from the mysql connection to PDO. And i met a problem.
require('config.php');
function GetAll($query, $params) {
global $db;
try {
$sth = $db->prepare($query);
}
catch (PDOException $e) {
return null;
}
try {
$sth->execute($params);
}
catch (PDOException $e) {
return null;
}
$result = $sth->fetchAll();
return $result;
}
if ($fetch = GetAll("SELECT `loggedip` FROM `ipcheck` WHERE `loggedip`=':ipcheck'", array(":ipcheck" => $iptocheck))) {
$resultx = $db->prepare("SELECT `failedattempts` FROM `ipcheck` WHERE `loggedip`='$iptocheck'");
$resultx->execute();
while ($rowx = $resultx->fetch()) {
;
}
$loginattempts_total = $rowx['failedattempts'];
echo "$loginattempts_total";
if ($loginattempts_total > $maxfailedattempt) {
header(sprintf("Location: %s", $forbidden_url));
exit;
}
}
this is my script. in PDO and his don't work. when my ip is banned should not see, but i see the page. PLEASE HELP ((