SitePoint Sponsor

User Tag List

Page 3 of 3 FirstFirst 123
Results 51 to 60 of 60
  1. #51
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    It seems that filter_input doesn't support $_SESSION yet, so we'll have to do this more-like the old-fashion way, where an empty variable is first assigned, and then only if the superglobal exists, do you assign it then.

    Ahh the memories.


    I've also moved the cookie part afterwards, which seems to flow better due to the cookies relying on the lack of a username.

    Code javascript:
    session_start();
     
    $username = '';
    if (isset($_SESSION['username'])) {
        $username = filter_var($_SESSION['username'], FILTER_SANITIZE_STRING);
    }
    if (empty($username)) {
        require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/cookie.php';
    }
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  2. #52
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    filter_var I'm guessing you meant? Same issue with both I'm sure, though. No wonder I was lost. Thanks for clearing it up for me.

    Seems to work without $username = ''; too. But I think I understand the reason for including the line.

    I need to re-arrange it so that the cookie check is done first if necessary, so that if the sessions are set by cookie.php they are sanitized, which won't happen if cookie.php sets the sessions last.

    I'm pretty sure I can figure that out though.

    Thanks again Paul!

  3. #53
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by oknow View Post
    filter_var I'm guessing you meant?
    Nope, filter_input, which handles get, post, cookie, server, and env globals.

    Quote Originally Posted by oknow View Post
    I need to re-arrange it so that the cookie check is done first if necessary, so that if the sessions are set by cookie.php they are sanitized, which won't happen if cookie.php sets the sessions last.
    Ahh, so cookie.php updates the session variable, that makes sense. If you had the cookie code consistently set the session variable, even with just an empty value, you will not then receive an undefined insex with the later code that retrieves the session.

    That being something like this:

    Code php:
    $_SESSION['username'] = filter_input(INPUT_COOKIE, 'username', FILTER_SANITIZE_STRING);

    I also think that once you have ensured the safety of what you are putting in to the session variable (as done above) that you won't need to explicitly filter it, since it has already been implicitly done when it was set.

    Then you could get away with the following:

    Code php:
    session_start();
     
    if (!isset($_SESSION['username'])) {
        require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/cookie.php';
    }
    $username = $_SESSION['username'];
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  4. #54
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    That looks great. I'm unfortunately in the middle of changing my designated session/cookie variables, but I think I'm set on the way I'm doing it, so I'm about to try implement this improvement you suggested...

    can I use a filter on a $row[]; ?

    ie

    PHP Code:
    $userid filter_var($row['id'], FILTER_SANITIZE_NUMBER_INT);
    $username filter_var($row['username'], FILTER_SANITIZE_STRING);
    $_SESSION['userid'] = $userid;
    $_SESSION['username'] = $username;
    $_SESSION['logged_in'] = TRUE
    I ask because the new cookie I am using, a single cookie, is a hashed combination of variables that I won't be using in sessions anymore - it is only to check if the user is allowed to log in and have the sessions set. Hope that makes sense! heh

    edit: wait, I could just do this

    PHP Code:
    $_SESSION['userid'] = filter_var($row['id'], FILTER_SANITIZE_NUMBER_INT);
    $_SESSION['username'] = filter_var($row['username'], FILTER_SANITIZE_STRING);
    $_SESSION['logged_in'] = TRUE
    Right? (Assuming rows are ok to filter!)

  5. #55
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by oknow View Post
    That looks great. I'm unfortunately in the middle of changing my designated session/cookie variables, but I think I'm set on the way I'm doing it, so I'm about to try implement this improvement you suggested...

    can I use a filter on a $row[]; ?
    Yes, filter_var can be used on any variables, but when dealing with arrays it can be better to use filter_var_array instead..

    If it's from one of the superglobal arrays though, filter_input should be used for them instead.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  6. #56
    SitePoint Zealot
    Join Date
    Jan 2010
    Posts
    153
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by paul_wilkins View Post
    Yes, filter_var can be used on any variables, but when dealing with arrays it can be better to use filter_var_array instead..

    If it's from one of the superglobal arrays though, filter_input should be used for them instead.
    Gotchya! Thanks.

    I've been teaching myself filter_var_array on and off to sort out my date issue from earlier, took a break from it admittedly.

    This is going to work. And much better than I had it set up.

    I just have to figure out how to completely re-code my cookie.php file to fix these issues ... I think I can do it though. I will have to come up with something other than the $row thing. $username = $_SESSION['username']; won't work to check on every page either, unless cookie.php always runs, because if the user is already logged in, cookie.php setting+filtering the sessions will be skipped... I think that is right. My brain is having a hard time with this tonight. Hah. I will rack my brain over this I am sure I can get it.

    Thanks again Paul, you're a legend.

  7. #57
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by oknow View Post
    I just have to figure out how to completely re-code my cookie.php file to fix these issues ... I think I can do it though. I will have to come up with something other than the $row thing. $username = $_SESSION['username']; won't work to check on every page either, unless cookie.php always runs, because if the user is already logged in, cookie.php setting+filtering the sessions will be skipped... I think that is right.
    There are three different things that are involved here.
    $_POST, $_SESSION and $_COOKIE

    That gives a total combination of 8 different possibilities when the page loads.

    1. none of them are set
    2. only $_POST
    3. only $_SESSION
    4. both $_SESSION and $_POST
    5. only $_COOKIE
    6. both $_COOKIE and $_POST
    7. both $_COOKIE and $_SESSION
    8. all three, $_COOKIE, $_SESSION and $_POST


    Create a test for each of those 8 cases, which provides bad data in each of the areas. You can use simple test or phpunit to easily automate the tests.

    When all of the tests result in good data instead of bad, that's when you know you have a fully working solution.
    Last edited by paul_wilkins; May 19, 2011 at 21:09.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  8. #58
    SitePoint Enthusiast derokorian's Avatar
    Join Date
    Jan 2011
    Location
    Ohio
    Posts
    57
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i believe option 7 should be:
    7. both $_COOKIE and $_SESSION

  9. #59
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by derokorian View Post
    i believe option 7 should be:
    7. both $_COOKIE and $_SESSION
    Ta, updated.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  10. #60
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Writing tests that check for each of those situations, and then writing code that solves each test, results in the following code:

    Code php:
    <?php
    session_start();
    $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
    if (empty($username) && isset($_SESSION['username'])) {
        $username = $_SESSION['username'];
    }
    if (empty($username)) {
        $username = filter_input(INPUT_COOKIE, 'username', FILTER_SANITIZE_STRING);
    }
     
    $_SESSION['username'] = $username;
    setcookie('username', $username);
     
    echo '<p>Username: ' . htmlentities($username) . '</p>';
    ?>
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •