I have a Notices class which is used to provide one-time message notifications. The notifications are stored in a Kohana session (cookie) and my getter looks like this (echos are there for debugging purposes):
private static function _get($key)
{
$session = Session::instance();
$value = $session->get($key);
echo $key . ': ' . $session->get($key) . '<br />';
$session->delete($key);
echo 'deleted ' .$key. ', value now: ' .$session->get($key). '<br /><br />';
return $value;
}
Now, one page I use this class on is the login page. When a user enters incorrect login info it does what I expect it too: displays an error saying "username/password incorrect". This message should then be deleted as I've called the getter and the getter deletes it from the session.
However, this is not the case. The message is shown on the next page too. And if I go to any other page which displays notifications, the error is shown there too, until a different error is displayed (say if I enter information on another form incorrectly).
This is what is displayed from the echo's on the page:
error: Username/password combination is incorrect.
deleted error, value now:
Which suggests that the value is being deleted, but it's still showing the same thing when I refresh the page.
If it helps this is what the process of setting an error message is like, from a controller I call Notices::error('message'); which calls this method:
public static function error($value = NULL)
{
return Notices::_notice('error', $value);
}
which calls:
private static function _notice($key, $value)
{
// If value is not NULL, then store the notice
if ( ! is_null($value))
{
Notices::_set($key, $value);
return TRUE;
}
else
{
// If value is not NULL. retieve key and format HTML
if ( ! is_null($value = Notices::_get($key)))
{
return "$value";
}
// If the key does not exist return empty string
else
{
return '';
}
}
}
and the setter looks like this:
private static function _set($key, $value)
{
Session::instance()->set($key, $value);
return TRUE;
}
If session settings are playing up on you, check two things:
Your browser cache is not so aggressive that it appears to hold on to remnants of elements unless you force flush it.
You're not also setting the session in the same method, thus having it re-fill the variable when you refresh the page or call the method again.
You should also check out the existing get_once method in the Kohana_Session class that destroys the variable after it's done taking it out of the $_SESSION variable:
/**
* Get and delete a variable from the session array.
*
* $bar = $session->get_once('bar');
*
* #param string variable name
* #param mixed default value to return
* #return mixed
*/
public function get_once($key, $default = NULL)
{
$value = $this->get($key, $default);
unset($this->_data[$key]);
return $value;
}
Related
First time I noticed this today whilst using a PHP class static attribute $limit as a query limit parameter for a raw prepared statement as in
/**
* #var int
*/
private static $limit = 100;
// ....
$query = <<<EOT
SELECT id FROM table t WHERE t.id > 0 LIMIT ? EOT;
$recs = \DB::select($query, [self::$limit]);
So the above query throws an error which upon examination seemed to me to stem from the fact that the query builder took it for a string. If I change the select statement to be as follows it all runs as expected
$mcdrs = \DB::select($query, [(int)self::$limit]);
So, whilst this is not a problem per se, I am just curious as to whether is a known fact that class attributes in PHP are always set as strings.
I even changed the attribute declaration to
private static $limit = 99+1;
with the same results. Just to confirm, I performed the following "tests" and I can confirm that no matter what I do with the static var declaration they are all reported as strings. Haven't tried floating numbers though.
if (is_string(self::$limit)) {
die('string');
} elseif (is_int(self::$limit)) {
die('int');
} else {
die('something else...');
}
I can confirm that the variable is of type string.
I came up with this as a test and could not replicate your findings.
This is using PHP 7.3.19
/Class_test.php
class Class_test {
private static $limit = 100;
private static $string = '100';
public function index() {
$this->check_my_type(self::$limit);
$this->check_my_type(self::$string);
}
protected function check_my_type($value){
if (is_string($value)) {
echo('I am a string :'. $value);
echo '<br>';
}
if (is_int($value)) {
echo('I am an Integer :'.$value);
echo '<br>';
}
}
}
/index.php
<?php
// Enable FULL Error Reporting on the screen
// ONLY USE IN DEVELOPMENT
error_reporting(E_ALL);
ini_set('display_errors', 1);
include_once('./Class_test.php');
$test = new Class_test();
$test->index();
Output is:
I am an Integer :100
I am a string :100
Do you get the same results or is there something you haven't told us that I am missing here.
I am working on an application that I need to post a secret variable. I wrote this code.
<form target="_blank" action="/validate/lista.php" method="POST">
<input type="hidden" name="evento" value="<?php echo $pname ?>" />
<button class="btn btn-block btn-md btn-outline-success">Lista</button>
</form>
My problem is that if the user inspect the element with chrome or whatever, he can see the value and change it before POST.
I could use SESSION but every user has a different session ID and this way I would need to POST the session ID (because they are separete applications), which I think is not secure. Or is it ok?
How can I prevent this? I am new to programming...
Thank you
Maintain HTML Form State safely ('Conversation' Tracking)
Keep track of the 'state' of an HTML Form as it is processed by the client and the server.
The typical 'conversation' is:
Send a new form to the client, often for a specific user who has to login.
The client enters data and returns it.
It is validated and may be sent out again.
The data changes are applied.
the client is informed of the result.
It sounds simple. Alas, we need to keep track of the 'state' of the form during the 'conversation'.
We need to record the state in a hidden field. This can open us up to various 'failure modes'.
This answer is one method of reliably keeping track of the 'conversations'.
Including people being 'malicious'. It happens. ;-/
This is a data change form so we don't want it applied to the wrong person.
There are various requirements:
Sensible ones:
prevent a form being processed twice
Ask a user to confirm the data if the form is too old
Malicious ones:
Changing the form to appear to be from a different user
Using an old copy of the form
Changing other hidden data to corrupt the user data
Now, we cannot prevent the client changing the hidden data, or storing it to replay later. etc.
What to do?
We need to ensure that if it is changed then we can detect that it is tampered with and tell the user about it. We do nothing.
If they send us an old stored valid copy then we can detect that as well.
Is there a simple way of doing this? Oh yes! :)
Answers:
Give each form a unique id: makes it easy to determine if we have already seen it.
Give each form a timestamp of when it was first created.
we can then decide the max age we allow to use it.
If it is too old then we just copy the entered data to a new form and ask the user to confirm it. see Captcha :)
When we process the form we store the form id.
The first check before processing a form is to see if we have already processed it
Identifying 'tampering'?
We encrypt it with AES! :) Only the server needs to know the password so there are no client issues.
If it is changed then the decrypt will fail and we just issue a new form to the user with the data input on it. :)
Is it a lot of code? Not really. And it makes forms processing safe.
One advantage is that has the protection for the CSRF attack built in so no separate code needed.
Program Code (FormState Class)
<?php
/**
* every 'data edit' form has one of these - without exeception.
*
* This ensures that the form I sent out came from me.
*
* It has:
* 1) A unique #id
* 2) A date time stamp and a lifetime
*
* Can be automatically generated and checked.
*/
class FormState {
const MAX_FORM_AGE = 600; // seconds
const ENC_PASSWORD = '327136823981d9e57652bba2acfdb1f2';
const ENC_IV = 'f9928260b550dbb2eecb6e10fcf630ba';
protected $state = array();
public function __construct($prevState = '')
{
if (!empty($prevState)) {
$this->reloadState($prevState); // will not be valid if fails
return;
}
$this->setNewForm();
}
/**
* Generate a new unique id and timestanp
*
* #param $name - optional name for the form
*/
public function setNewForm($name = '')
{
$this->state = array();
$this->state['formid'] = sha1(uniqid(true)); // each form has a unique id
$this->state['when'] = time();
if (!empty($name)) {
$this->setAttribute('name', $name);
}
}
/**
* retrieve attribute value
*
* #param $name attribute name to use
* #param $default value to return if attribute does not exist
*
* #return string / number
*/
public function getAttribute($name, $default = null)
{
if (isset($this->state[$name])) {
return $this->state[$name];
} else {
return $default;
}
}
/**
* store attribute value
*
* #param $name attribute name to use
* #param $value value to save
*/
public function setAttribute($name, $value)
{
$this->state[$name] = $value;
}
/**
* get the array
*/
public function getAllAttributes()
{
return $this->state;
}
/**
* the unique form id
*
* #return hex string
*/
public function getFormId()
{
return $this->getAttribute('formid');
}
/**
* Age of the form in seconds
* #return int seconds
*/
public function getAge()
{
if ($this->isValid()) {
return time() - $this->state['when'];
}
return 0;
}
/**
* check the age of the form
*
*#param $ageSeconds is age older than the supplied age
*/
public function isOutOfDate($ageSeconds = self::MAX_FORM_AGE)
{
return $this->getAge() >= $ageSeconds;
}
/**
* was a valid string passed when restoring it
* #return boolean
*/
public function isValid()
{
return is_array($this->state) && !empty($this->state);
}
/** -----------------------------------------------------------------------
* Encode as string - these are encrypted to ensure they are not tampered with
*/
public function asString()
{
$serialized = serialize($this->state);
$encrypted = $this->encrypt_decrypt('encrypt', $serialized);
$result = base64_encode($encrypted);
return $result;
}
/**
* Restore the saved attributes - it must be a valid string
*
* #Param $prevState
* #return array Attributes
*/
public function fromString($prevState)
{
$encrypted = #base64_decode($prevState);
if ($encrypted === false) {
return false;
}
$serialized = $this->encrypt_decrypt('decrypt', $encrypted);
if ($serialized === false) {
return false;
}
$object = #unserialize($serialized);
if ($object === false) {
return false;
}
if (!is_array($object)) {
throw new \Exception(__METHOD__ .' failed to return object: '. $object, 500);
}
return $object;
}
public function __toString()
{
return $this->asString();
}
/**
* Restore the previous state of the form
* will not be valid if not a valid string
*
* #param $prevState an encoded serialized array
* #return bool isValid or not
*/
public function reloadState($prevState)
{
$this->state = array();
$state = $this->fromString($prevState);
if ($state !== false) {
$this->state = $state;
}
return $this->isValid();
}
/**
* simple method to encrypt or decrypt a plain text string
* initialization vector(IV) has to be the same when encrypting and decrypting
*
* #param string $action: can be 'encrypt' or 'decrypt'
* #param string $string: string to encrypt or decrypt
*
* #return string
*/
public function encrypt_decrypt($action, $string)
{
$output = false;
$encrypt_method = "AES-256-CBC";
$secret_key = self::ENC_PASSWORD;
// iv - encrypt method AES-256-CBC expects 16 bytes - else you will get a warning
$secret_iv_len = openssl_cipher_iv_length($encrypt_method);
$secret_iv = substr(self::ENC_IV, 0, $secret_iv_len);
if ( $action == 'encrypt' ) {
$output = openssl_encrypt($string, $encrypt_method, $secret_key, OPENSSL_RAW_DATA, $secret_iv);
} else if( $action == 'decrypt' ) {
$output = openssl_decrypt($string, $encrypt_method, $secret_key, OPENSSL_RAW_DATA, $secret_iv);
}
if ($output === false) {
// throw new \Exception($action .' failed: '. $string, 500);
}
return $output;
}
}
Example Code
Full Example Application Source Code (Q49924789)
Website Using the supplied Source Code
FormState source code
Do we have an existing form?
$isExistingForm = !empty($_POST['formState']);
$selectedAction = 'start-NewForm'; // default action
if ($isExistingForm) { // restore state
$selectedAction = $_POST['selectedAction'];
$formState = new \FormState($_POST['formState']); // it may be invalid
if (!$formState->isValid() && $selectedAction !== 'start-NewForm') {
$selectedAction = "formState-isWrong"; // force user to start a new form
}
} else {
$_POST = array(); // yes, $_POST is just another PHP array
$formState = new \FormState();
}
Start New Form
$formState = new \FormState();
$_POST = array();
$displayMsg = "New formstate created. FormId: ". $formState->getFormId();
Store UserId (Database Id) in the FormState
$formState->setAttribute('userId' $userId);
Check a form being to old?
$secsToBeOutOfDate = 3;
if ($formState->isOutOfDate($secsToBeOutOfDate)) {
$errorMsg = 'Out Of Date Age: '. $secsToBeOutOfDate .'secs'
.', ActualAge: '. $formState->getAge();
}
Reload State from the form hidden field.
$formState = new \FormState('this is rubbish!!');
$errorMsg = "formState: isValid(): ". ($formState->isValid() ? 'True' : 'False');
Check if a form has already been processed.
if (isset($_SESSION['processedForms'][$formState->getFormId()])) {
$errorMsg = 'This form has already been processed. (' . $formState->getFormId() .')';
break;
}
$_SESSION['processedForms'][$formState->getFormId()] = true;
$displayMsg = "Form processed and added to list.";
I'm writing a large project, and here's a class that I'll use it often:
class Star
{
/**
* Add
*
* Add a star to something.
*
* #param int $ID The ID of the thing.
*/
function Add($ID)
{
if($this->Starred($ID))
return 'You starred it already.';
if(!$this->Existing($ID))
return 'The one you tried to star does no longer exist.';
$this->DB->Star($ID);
return 'Starred successfully!';
}
}
$Star = new Star();
But I will use it in different ways like: single page or inside a function,
here's the problem, sometimes, I want to know the return code not the message,
but when I use it in the single page, I want it to return the messaage,
so if I change the Add() function to this:
function Add($ID)
{
if($this->Starred($ID))
return 0;
if(!$this->Existing($ID))
return 1;
$this->DB->Star($ID);
return 2;
}
I can now use it in my functions like this to handle an error:
/** Leaves a comment */
$Comment->Say('Hello.', $ID);
/** Auto star the post because we commented on it */
if($Star->Add($ID) == 2)
{
/** Remove the comment because the post does no longer exist */
$Comment->Remove('Hello.', $ID);
return 'Sorry ; _ ;, the post does no longer exist.';
}
but what if I need to return a message in many other pages?
I need to write this code every time?
switch($Star->Add($ID))
{
case 0:
return 'You starred it already.';
break;
case 1:
return 'The one you tried to star does no longer exist.';
break;
case 2:
return 'Starred successfully!';
break;
}
I'm just confuse about it, any help would be appreciated.
For a direct solution to your code read the Edit 1 section.
I'm currently working on a rather large project and I'm using a ErrorHandler class that I made. I found that working with a generic error handler class has made it easier.
class ErrorHandler
{
/**
* #var string an array containing all the errors set.
*/
private static $errors = [];
/**
* Set an error.
*
* #param string $error - The error message you'd like to set.
* #return string - The error being set to $errors array.
*/
public static function add($error)
{
return self::$errors[] = $error;
}
/**
* Get all the errors.
*
* #return boolean if the $errors array is empty it will return false, otherwise it will return the errors.
*/
public static function get()
{
foreach (self::$errors as $error) {
if (empty(trim($error)))
return false;
}
return self::$errors;
}
}
Basically how I use it is like this, say I needed to validate a form input say a login, I'd first check if the user pressed the submit button, then I'd use the ternary operator to run some validations and if it fails I use the ErrorHandler class.
if(isset($_POST['login'])) {
$emailAddress = someValidationsHere ? doSomethingWithValidInput : ErrorHandler::add("Email field is empty or format is invalid.");
$password = someValidationsHere ? doSomethingWithValidInput : ErrorHandler::add("Password field can't be empty and can't use special characters.");
if(!ErrorHandler::get()) {
echo User::login($emailAddress, $password, $autoLogin);
} else {
$errors = ErrorHandler::get();
foreach($errors as $error) {
echo $error . "<br/>";
}
}
}
So what that bottom if statement does is check if the ErrorHandler::get functions does not return false which in that case no need to show an error message and you can progress with the code, else it will display the error page, this way you can show multiple errors and have custom formatting.
I prefer this method as it is more of a long term solution as you may change the ID's then you'd have to go through all your code and change the code manually. Also it gives your code some sort of structure and that keeps your code clean.
Edit 1
How is this class? You now know the error codes using the const value and you can parse the error code to a message using the getMessage function. Also your code is more understandable and adaptable.
Why is it more...
understandable?
Because now when you (or someone else) looks at this code they see the clean name from the const so ALREADY_STARRED_ERROR will let the developer know instantly what the error means.
adaptable?
Well now you can change your hard coded errors and it wouldn't affect the code in anyway, so if in the future you wish to changed it because of a spelling mistake or other errors, you can change the array message.
<?php
class Star
{
const ALREADY_STARRED_ERROR = 1;
const NOT_FOUND_ERROR= 2;
const SUCCESSFUL_ENTRY = 3;
function getMessage($code)
{
$messages = [
1 => "You starred it already.",
2 => "The one you tried to star does no longer exist.",
3 => "Starred successfully!"
];
return $message[$code];
}
/**
* Add
*
* Add a star to something.
*
* #param int $ID The ID of the thing.
*/
function Add($ID)
{
if($this->Starred($ID))
return self::ALREADY_STARRED_ERROR;
if(!$this->Existing($ID))
return self::NOT_FOUND_ERROR;
$this->DB->Star($ID);
return self::SUCCESSFUL_ENTRY;
}
}
?>
I'd like to think Edit 1 addressed both the issues you had.
sometimes, I want to know the return code not the message,
but when I use it in the single page, I want it to return the messaage,
Place the switch to a function, like AddWithMessage:
function AddWithMessage($Star)
{
switch($Star->Add($ID))
{
case 0:
return 'You starred it already.';
break;
case 1:
return 'The one you tried to star does no longer exist.';
break;
case 2:
return 'Starred successfully!';
break;
}
}
Then use it across any single page you need instead of Add
I'm verifying a form input and making sure the user doesn't submit the form twice. I'm doing this with the following class:
<?php
//You can of course choose any name for your class or integrate it in something like a functions or base class
class formKey
{
//Here we store the generated form key
private $formKey;
//Here we store the old form key (more info at step 4)
private $old_formKey;
//The constructor stores the form key (if one excists) in our class variable
function __construct()
{
//We need the previous key so we store it
if(isset($_SESSION['form_key']))
{
$this->old_formKey = $_SESSION['form_key'];
}
}
//Function to generate the form key
private function generateKey()
{
//Get the IP-address of the user
$ip = $_SERVER['REMOTE_ADDR'];
//We use mt_rand() instead of rand() because it is better for generating random numbers.
//We use 'true' to get a longer string.
//See http://www.php.net/mt_rand for a precise description of the function and more examples.
$uniqid = uniqid(mt_rand(), true);
//Return the hash
return md5($ip . $uniqid);
}
//Function to output the form key
public function outputKey()
{
//Generate the key and store it inside the class
$this->formKey = $this->generateKey();
//Store the form key in the session
$_SESSION['form_key'] = $this->formKey;
//Output the form key
echo "<input type='hidden' name='form_key' id='form_key' value='".$this->formKey."' />";
}
//Function that validated the form key POST data
public function validate()
{
//We use the old formKey and not the new generated version
if($_POST['form_key'] == $this->old_formKey)
{
//The key is valid, return true.
unset($_SESSION['form_key']);
return true;
}
else
{
//The key is invalid, return false.
return false;
}
}
}
?>
This is output to the form like this then:
include STYLESHEETPATH . '/formkey.class.php';
$formKey = new formKey();
$formKey->outputKey();
If I echo out the old_formKey and the post form_key they are the exact same and it works in every browser other than Safari. If I check these in Safari, the old_formKey is always different. Why would this be?
I use this class (taken from a blog tutorial) to generate unique keys to validate a form:
class formKey {
//Here we store the generated form key
private $formKey;
//Here we store the old form key
private $old_formKey;
//The constructor stores the form key (if one excists) in our class variable
function __construct() {
//We need the previous key so we store it
if(isset($_SESSION['form_key'])) {
$this->old_formKey = $_SESSION['form_key'];
}
}
//Function to generate the form key
private function generateKey() {
//Get the IP-address of the user
$ip = $_SERVER['REMOTE_ADDR'];
//We use mt_rand() instead of rand() because it is better for generating random numbers.
//We use 'true' to get a longer string.
$uniqid = uniqid(mt_rand(), true);
//Return the hash
return md5($ip . $uniqid);
}
//Function to output the form key
public function outputKey() {
//Generate the key and store it inside the class
$this->formKey = $this->generateKey();
//Store the form key in the session
$_SESSION['form_key'] = $this->formKey;
//Output the form key
// echo "<input type='hidden' name='form_key' id='form_key' value='".$this->formKey."' />";
return $this->formKey;
}
//Function that validated the form key POST data
public function validate() {
//We use the old formKey and not the new generated version
if($_POST['form_key'] == $this->old_formKey) {
//The key is valid, return true.
return true;
}
else {
//The key is invalid, return false.
return false;
}
}
}
Everything in my website goes through index.php first, so I put this in index.php: $formKey = new formKey();
Then, in every form I put this: <?php $formKey->outputKey(); ?>
That generates this: <input type="hidden" name="form_key" id="form_key" value="7bd8496ea1518e1850c24cf2de8ded23" />
Then I can simply check for if(!isset($_POST['form_key']) || !$formKey->validate())
I have two problems. First: I cant use more than one form per page becouse only the last key generated will validate.
Second: Because everything goes through index.php first, if I use ajax to validate the form, the first time will validate but the second time not, because index.php generates a new key but the pages containing the form does't refresh so the form key is not updated..
I have tried several things but I cant get it to work.. Maybe YOU can update/modify the code/class to get it to work?? Thanks!!!
You could put this into a class, but this is needless complexity. Simple security systems are best because they are easier to audit.
//Put this in a header file
session_start();
if(!$_SESSION['xsrf_token']){
//Not the best but this should be enough entropy
$_SESSION['xsrf_token']=uniqid(mt_rand(),true);
}
//$_REQUEST is used because you might need it for a GET or POST request.
function validate_xsrf(){
return $_SESSION['xsrf_token']==$_REQUEST['xsrf_token'] && $_SESSION['xsrf_token'];
}
//End of header file.
The extra && $_SESSION['xsrf_token'] makes sure this variable is populated. Its there to make sure the implementation fails securely. (Like if you forgot the header file doah! ;)
This following html/php goes in any file you want to protect from XSRF, make sure you have the code above in a header file.
if(validate_xsrf()){
//do somthing with $_POST
}
This is all you need to print out the form, again make sure you call session_start(); before you do anything, it doesn't matter if you call it multiple times.
<input type="hidden" name="xsrf_token" id="form_key" value="<?=$_SESSION['xsrf_token']?>" />
Not tested, but it should work.
class formKey {
//Here we store the generated form key
private $formKey;
//Here we store the old form key
private $old_formKey;
//The constructor stores the form key (if one excists) in our class variable
function __construct() {
//We need the previous key so we store it
if(isset($_SESSION['form_key'])) {
$this->old_formKey = $_SESSION['form_key'];
$this->formKey = $this->generateKey();
$_SESSION['form_key'] = $this->formKey;
}
}
//Function to generate the form key
private function generateKey() {
//Get the IP-address of the user
$ip = $_SERVER['REMOTE_ADDR'];
//We use mt_rand() instead of rand() because it is better for generating random numbers.
//We use 'true' to get a longer string.
$uniqid = uniqid(mt_rand(), true);
//Return the hash
return md5($ip . $uniqid);
}
//Function to output the form key
public function outputKey() {
return $this->formKey;
}
//Function that validated the form key POST data
public function validate() {
//We use the old formKey and not the new generated version
if($_POST['form_key'] == $this->old_formKey) {
//The key is valid, return true.
return true;
}
else {
//The key is invalid, return false.
return false;
}
}
}
Edit: changed back to single key. Just call outputkey() to when needed. Don't create more than one instance of this class.