Here's the scenerio of what is happening in the script:
Session is start.
$id is set to a number (tournament ID number).
Result:
User SESSION vars are reset with the ID number and the ID number's respective user data. Essentially logging the user in under a different account.
Troubleshooting:
Renaming $id to $tid stops the glitch.
Not starting the session (session_start()) stops the glitch.
Thought Process:
$id must overwrite similar variable which is inside a block which contains:
if(isset( $_SESSION['someVar'] )) {
$id = "some Value";
}
Since $id is only overwritten when session is started.
The Problem:
There is no block of code that uses that syntax.
Here's the call stack.
jointourney.php
<?
session_start();
$id = (isset($_POST['id'])) ? $_POST['id'] : false;
include("html.php");
?>
html.php
<?
if(session_id() == '') session_start();
if(!function_exists('isLogged')) include("includes/islogged.inc.php");
include("includes/autologin.inc.php");
$query = mysql_query("SELECT value FROM config WHERE name='shutdown'");
$query = mysql_fetch_array($query);
$shutdown = end($query);
if(!class_exists('ban')) include("class/ban.class.php");
$ban = new ban();
if(isLogged()){
$ban->setUsername($_SESSION['username']);
}
$user_level = (isset($_SESSION['user_level'])) ? $_SESSION['user_level'] : "0";
$ban->setIP($_SERVER['REMOTE_ADDR']);
if((strlen($shutdown) > 0 || $ban->isBanned()) && $user_level == 0 && strtolower($_SERVER['REQUEST_URI']) != "/login.php"){
if(strtolower($_SERVER['REQUEST_URI']) != "/error.php"){
header("Location: ./error.php");
}
}
?>
islogged.inc.php
File not needed, no variables set: only returns true/false.
autologin.inc.php
<?
if(!class_exists('login')) include("./class/login.class.php");
$login = new Login();
if(isset($_COOKIE['username'],$_COOKIE['password']) && !$login->isLoggedIn()){
$login->setUsername($_COOKIE['username']);
$login->setPasswordDirect($_COOKIE['password']);
if(!$login->_error){
$login->processLogin();
}
}
?>
As you see, there is absolutely no place where jointourney.$id can overwrite - since there is no other variable called $id being used.
Note: There are no variables that are being set globally (i.e. global $id)
I do not understand why this is happening, are you guys able to figure this out? Everything you see here is exactly how it looks (minus HTML).
Turn register_globals Off in your server's php.ini.
Related
Am new to php, so any help would be greatly appreciated. I have a page to create account for users, and while creating account, there is a select field which has three specific value to select from "notfcode" "tfail" **"tfcode".
There is another page check.php which allows the user check his ttype. What i want to do is make the page try to read the sql table row which is ttype and if the value present on the user's account is "notfcode" it redirects to notfcode.php page, if its "tfail" it redirects to tfail.php and if its "tfcode" it stays on the page. below is the code i have been battling with without success.
<?php session_start();
include_once ('session.php');
require_once 'class.user.php';
if(!isset($_SESSION['acc_no'])){
header("Location: login.php");
exit();
}
$reg_user = new USER();
$stmt = $reg_user->runQuery("SELECT * FROM account WHERE acc_no=:acc_no");
$stmt->execute(array(":acc_no"=>$_SESSION['acc_no']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$email = $row['email'];
$temp = $reg_user->runQuery("SELECT * FROM transfer WHERE email = '$email' ORDER BY id DESC LIMIT 1");
$temp->execute(array(":acc_no"=>$_SESSION['acc_no']));
$rows = $temp->fetch(PDO::FETCH_ASSOC);
$transfertype = $row['ttype'];
if(isset($_SESSION['acc_no'])){
$transfertype = $row['ttype'];
if($transfertype == nocodetf){
header("Location: nocodetf.php");
}
elseif($transfertype == tfail){
header("Location: nocodetf.php");
}
else {
header("Location: check.php");
}
}
include_once ('counter.php');
?>
When the page loads up, it does nothing, no redirects which is what i intend. A pointer in the right direction will be appreciated.
This are strings.
if($transfertype == "nocodetf"){
or
if($transfertype == 'nocodetf'){
Activate PHP error reporting than PHP shows you this.
error_reporting(E_ALL);
ini_set('display_errors', 1);
$transfertype = "foo";
if ($transfertype == nocodetf) { # <-- as you did it
//...
}
// <b>Warning</b>: Use of undefined constant nocodetf - assumed 'nocodetf' (this will throw an Error in a future version of PHP) in ...
I was finally able to resolve it using this code
<?php
$transfertype = $row['ttype'];
if($transfertype == 'nocodetf'){
header('Location: nocodetf.php'); }
else if($transfertype == 'failtf'){
header('Location: failtf.php');
exit();
}
?>
The problem seemed to be in the fact that i wasn't quoting the value which php should try to get from the sql column.
I cannot figure this out. Sometimes after the redirect (see code below), the session variables are lost. Any ideas?
Note the script is initially called with ?p=1&u=2&k=3.
As you can see, the script redirects to itself. The session variables something are lost after the redirect.
<?php
session_start();
if ((isset($_SESSION['p'])) and ($_SESSION['p'] != "")) {
// do something
} else {
$_SESSION['p'] = $_GET['p'];
$_SESSION['w'] = $_SERVER["HTTP_HOST"];
$_SESSION['u'] = $_GET['u'];
$_SESSION['k'] = $_GET['k'];
header("Location: http://".$_SESSION['w'].$_SERVER['PHP_SELF']."");
exit();
}
?>
Cheers
Copied and pasted your code and it works just fine for me.
Do you maybe have some spaces or whatever before your <?php-tag?
I am not sure why it happens.
Probably you have some misconfiguration on your php.ini file.
Or you don't have the right session.save_path or permissions to write there.
But if the problem persists, try this way:
<?php
session_start();
if (!$_SESSION['p']) {
$_SESSION['p'] = $_GET['p'];
$_SESSION['w'] = $_SERVER["HTTP_HOST"];
$_SESSION['u'] = $_GET['u'];
$_SESSION['k'] = $_GET['k'];
}
//code comes here
?>
In my opinion, this is the way things should be done.
My website works fine on localhost, but once I deploy it to my hosting service, the session stops working.
<?php
session_start();
session_save_path('log/session.txt');
ini_set('session.gc_probability', 1);
error_reporting(E_ALL ^ E_NOTICE);
date_default_timezone_set("Asia/Jakarta");
require_once 'jadwal/calendar/tc_calendar.php';
include "../metode/data.php";
include "../metode/jalan.php";
include "../metode/perintah.php";
include "../metode/gambar.php";
//session
$queryadmin = mysql_query("select * from root");
$dataadmin = mysql_fetch_row($queryadmin);
$id = $dataadmin[0];
$key1 = $dataadmin[1];
if (isset($_POST['admin'])) {
$_SESSION['id'] = $_POST['x'];
$_SESSION['key1'] = $_POST['xx'];
}
if (isset($_POST['root'])) {
$_SESSION['user'] = $_POST['xxx'];
$_SESSION['key2'] = $_POST['xxxx'];
}
if (isset($_POST['clear'])) {
$_SESSION['id'] = "";
$_SESSION['key1'] = "";
$_SESSION['user'] = "";
$_SESSION['key2'] = "";
}
if (isset($_POST['exit'])) {
$_SESSION['id'] = "";
$_SESSION['key1'] = "";
}
//access
if ($_SESSION['id'] == $id && $_SESSION['key1'] == $key1) {
$user = $dataadmin[3];
$key2 = $dataadmin[2];
if ($_SESSION['user'] == $user && $_SESSION['key2'] == $key2) {
mysql_query("insert into root history values('','".$_POST['day']."','".$_POST['time']."')");
print "<br><br><br>";
include_once "jembatan.php";
} else {
include "root.php";
}
}
else {
include "admin.php";
}
?>
If you need me to show any other files, just ask.
Could be the way your hosting set up their PHP. Try printing phpinfo() on the host and check their settings.
To run the phpinfo function, just run a script that looks something like this:
<?php
phpinfo();
?>
The output will include a huge list of settings, but you're looking for this section right her:
Note how my settings says Session Support = enabled. That's what indicates that my host (localhost, in my case) supports sessions.
Make sure there is no space or new line before onpenning the <?php tag, because you code here contains 3 spaces before it.
As late as this answer may be coming in, i recently ran into the same problem and after much trial and error. I found out the having the slightest HTML tag above your session could stop session from not registering.
So ensure the first thing you have at the top is
<?php
session_start();
?>
I have a login and session creation script for a cms. It checks an admin file for correct details otherwise does a SQL query for user details. A session variable is set depending on which is successful then the according page loaded.
The script works on PHP 5.2 but I've been trying to rewrite the code to fix deprecated functions for PHP 5.4, register_globals and $http_session_vars in particular. The problem I think I am getting is that the variable ($s_Vers) is not being set properly as it's utilising an array.
To get around register_globals:
$aPwd = $_REQUEST['aPwd'];
$aLogin = $_REQUEST['aLogin'];
$lname = $_REQUEST['lname'];
$pswd = $_REQUEST['pswd'];
This seems to be working fine.
For $HTTP_SESSION_VARS I've replaced all instances with $_SESSION. I'm going to assume it's not that simple. An extract of the if statement that should set $s_vers for the admin.
if ( $lname === $aLogin
&& (( $aPwd && md5($pswd) === $aPswd )
|| (!$aPswd && $name === $pswd )) )
{
$s_Vers = $_SESSION["s_Vers"] = 0;
$s_aid = $_SESSION["s_uid"] = 0;
}
After this there is an else statement to run an SQL query for the user login details.
Then there is this:
else $wrong = true;
}
if( isset($_SESSION["s_Vers"]) && !#$wrong )
{
include "setup.php";
if( $s_Vers == 0 )
header("Location: adminpage.php");
else
header("Location: userpage.php");
exit();
}
Is there anything in the above that is glaringly wrong?
The session variables are being stored in the session array which looks like this:
session_start();
$session_array = array("username", "password", "s_uid", "s_Vers");
So what happens when I enter the admin details is that I see it direct to the adminpage.php as it should then it logs me out. I guess due to this:
if ( (!IsSet($curmode) && !$username) || isset($logout)
|| $s_Vers != $_SESSION["s_Vers"]
|| $s_uid != $_SESSION_["s_uid"]
)
{
$username = "";
$password = "";
$curmode = 0;
session_destroy();
// echo "Here";
// exit();
// Header("Location: http://".$g_AfterLogoutURL);
?>
<HTML>
<HEAD>
<TITLE>Not Authorised</TITLE>
<meta http-equiv="refresh" content="1;url=login.php">
</HEAD>
<SCRIPT language="javascript">
parent.location="login.php";
</SCRIPT>
<BODY>
</BODY>
</HTML>
<?
exit();
}
s_Vers is being set as global in two functions that are in a required file, but not executed until the adminpage is loaded.
There's other parts to the script with requires and variable declarations but not related to the session or login sequence.
Anyone know where I'm going wrong, or can provide a solution?
Check $_SESSION["s_Vers"] using var_dump();, bec. for
$s_Vers = $_SESSION["s_Vers"] = 0;
variables should be of one and the same type, otherwise = operator will not take place.
In your case it should be (int), bec. last item (which is 0) is of (int) type.
In my temp_file.php i have a variable (array)
<?php
$temp = array();
?>
No in my currentPage.php i am using this
<?PHP
include 'temp_file.php';
///giving some value to $id and calling same page again
array_push($GLOBALS['temp'],$id);
?>
I want to use this temp array to append a value each time i call the same file(CurrentPage.php) but include 'temp_file.php'; statement is executing every time and i am getting single element to my array that i was last pushed.
Can any one help me is there any way in php to skip this include statement from second time to till the session end.
Since you mention sessions in your question, you must know about them. Then, why don't you store $temp variable in session, like:
$_SESSION['temp'] = $temp?
This is what you need ?
<?PHP
session_start();
if (!isset($_SESSION['temp']) {
$_SESSION['temp'] = array($id);
} else {
$_SESSION['temp'][] = $id;
}
$f = array_count_values($_SESSION['temp']);
if ($f[$id] < $Limit) {
include 'temp_file.php';
} else {
// Error
}
?>
You can store your array in $_SESSION, so your temp_file.php will become:
<?php
if(!$_SESSION['temp']) {
$_SESSION['temp'] = array();
}
?>
and your current page like this:
<?php
include 'temp_file.php';
array_push($_SESSION['temp'],$id);
?>
And you have to be careful to destroy your session variables when it ends.
None of the answers are correct.
include_once() will not work for you, as you will be loading the page again, even if it is the second time, as with every load the php will execute from the top.
Because include_once() will only stop the redundant inclusion in same execution, not multiple.
Here is a simple workaround to your problem
<?PHP
if(!isset($_SESSION['include']) || !$_SESSION['included'])) {
// ^ Check if it was included before, if not then include it
include 'temp_file.php';
$_SESSION['included'] = true; //set a session so that this part never runs again for the active user session
}
///giving some value to $id and calling same page again
array_push($GLOBALS['temp'],$id);
?>
<?PHP
if (!isset($GLOBALS['included_temp_file']) || $GLOBALS['included_temp_file'] != true) {
include_once 'temp_file.php';
$GLOBALS['included_temp_file'] = true;
}
///giving some value to $id and calling same page again
array_push($GLOBALS['temp'],$id);
?>