code layout and variable questions

[paul_wilkins]

It seems that filter_input doesn't support $_SESSION yet, so we'll have to do this more-like the old-fashion way, where an empty variable is first assigned, and then only if the superglobal exists, do you assign it then.

Ahh the memories.


I've also moved the cookie part afterwards, which seems to flow better due to the cookies relying on the lack of a username.

Code javascript:

session_start();
 
$username = '';
if (isset($_SESSION['username'])) {
    $username = filter_var($_SESSION['username'], FILTER_SANITIZE_STRING);
}
if (empty($username)) {
    require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/cookie.php';
}

[oknow]

filter_var I'm guessing you meant? Same issue with both I'm sure, though. No wonder I was lost. Thanks for clearing it up for me.

Seems to work without $username = ''; too. But I think I understand the reason for including the line.

I need to re-arrange it so that the cookie check is done first if necessary, so that if the sessions are set by cookie.php they are sanitized, which won't happen if cookie.php sets the sessions last.

I'm pretty sure I can figure that out though.

Thanks again Paul!

[paul_wilkins]

filter_var I'm guessing you meant?

Nope, filter_input, which handles get, post, cookie, server, and env globals.

I need to re-arrange it so that the cookie check is done first if necessary, so that if the sessions are set by cookie.php they are sanitized, which won't happen if cookie.php sets the sessions last.

Ahh, so cookie.php updates the session variable, that makes sense. If you had the cookie code consistently set the session variable, even with just an empty value, you will not then receive an undefined insex with the later code that retrieves the session.

That being something like this:

Code php:

$_SESSION['username'] = filter_input(INPUT_COOKIE, 'username', FILTER_SANITIZE_STRING);

I also think that once you have ensured the safety of what you are putting in to the session variable (as done above) that you won't need to explicitly filter it, since it has already been implicitly done when it was set.

Then you could get away with the following:

Code php:

session_start();
 
if (!isset($_SESSION['username'])) {
    require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/cookie.php';
}
$username = $_SESSION['username'];

[oknow]

That looks great. I'm unfortunately in the middle of changing my designated session/cookie variables, but I think I'm set on the way I'm doing it, so I'm about to try implement this improvement you suggested...

can I use a filter on a $row[]; ?

ie

PHP Code:

$userid = filter_var($row['id'], FILTER_SANITIZE_NUMBER_INT);
$username = filter_var($row['username'], FILTER_SANITIZE_STRING);
$_SESSION['userid'] = $userid;
$_SESSION['username'] = $username;
$_SESSION['logged_in'] = TRUE; 


I ask because the new cookie I am using, a single cookie, is a hashed combination of variables that I won't be using in sessions anymore - it is only to check if the user is allowed to log in and have the sessions set. Hope that makes sense! heh

edit: wait, I could just do this

PHP Code:

$_SESSION['userid'] = filter_var($row['id'], FILTER_SANITIZE_NUMBER_INT);
$_SESSION['username'] = filter_var($row['username'], FILTER_SANITIZE_STRING);
$_SESSION['logged_in'] = TRUE; 


Right? (Assuming rows are ok to filter!)

[paul_wilkins]

That looks great. I'm unfortunately in the middle of changing my designated session/cookie variables, but I think I'm set on the way I'm doing it, so I'm about to try implement this improvement you suggested...

can I use a filter on a $row[]; ?

Yes, filter_var can be used on any variables, but when dealing with arrays it can be better to use filter_var_array instead..

If it's from one of the superglobal arrays though, filter_input should be used for them instead.

[oknow]

Yes, filter_var can be used on any variables, but when dealing with arrays it can be better to use filter_var_array instead..

If it's from one of the superglobal arrays though, filter_input should be used for them instead.

Gotchya! Thanks.

I've been teaching myself filter_var_array on and off to sort out my date issue from earlier, took a break from it admittedly.

This is going to work. And much better than I had it set up.

I just have to figure out how to completely re-code my cookie.php file to fix these issues ... I think I can do it though. I will have to come up with something other than the $row thing. $username = $_SESSION['username']; won't work to check on every page either, unless cookie.php always runs, because if the user is already logged in, cookie.php setting+filtering the sessions will be skipped... I think that is right. My brain is having a hard time with this tonight. Hah. I will rack my brain over this I am sure I can get it.

Thanks again Paul, you're a legend.

[paul_wilkins]

I just have to figure out how to completely re-code my cookie.php file to fix these issues ... I think I can do it though. I will have to come up with something other than the $row thing. $username = $_SESSION['username']; won't work to check on every page either, unless cookie.php always runs, because if the user is already logged in, cookie.php setting+filtering the sessions will be skipped... I think that is right.

There are three different things that are involved here.
$_POST, $_SESSION and $_COOKIE

That gives a total combination of 8 different possibilities when the page loads.

1. none of them are set
2. only $_POST
3. only $_SESSION
4. both $_SESSION and $_POST
5. only $_COOKIE
6. both $_COOKIE and $_POST
7. both $_COOKIE and $_SESSION
8. all three, $_COOKIE, $_SESSION and $_POST

Create a test for each of those 8 cases, which provides bad data in each of the areas. You can use simple test or phpunit to easily automate the tests.

When all of the tests result in good data instead of bad, that's when you know you have a fully working solution.

[derokorian]

i believe option 7 should be:
7. both $_COOKIE and $_SESSION

[paul_wilkins]

i believe option 7 should be:
7. both $_COOKIE and $_SESSION

Ta, updated.

[paul_wilkins]

Writing tests that check for each of those situations, and then writing code that solves each test, results in the following code:

Code php:

<?php
session_start();
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
if (empty($username) && isset($_SESSION['username'])) {
    $username = $_SESSION['username'];
}
if (empty($username)) {
    $username = filter_input(INPUT_COOKIE, 'username', FILTER_SANITIZE_STRING);
}
 
$_SESSION['username'] = $username;
setcookie('username', $username);
 
echo '<p>Username: ' . htmlentities($username) . '</p>';
?>