Session variables in php


  • I survived the hour long Uno hand

    So I'm finally learning php, but this has me stumped:

     

    <?php
    if (@$_SESSION['auth'] != "yes") {
        echo "<p class='tiny' align='center'>";
        echo "<a href="login.php"> Log In </a></p>";
    }
    else {
        echo "<p class="tiny" align="center">Logged in as ";
        echo "{$_SESSION['user']}";
        echo ". <a href="logout.php"> Click here </a> to log out.</p>" ;
    }
    ?>

     

    The if statement works perfectly, but the   echo "{$_SESSION['user']}"; returns a blank string, every time .A test script:

     <?php echo "<br> Logged in as: {$_SESSION['user']} <br>";
    echo "Logged in: {$_SESSION['auth']} <br>";
    ?>

     

    returns:

    Logged in as:
    Logged in: yes  

     

    The variables are set in the following portion of my login script:

            $_SESSION['auth']="yes";
            $_SESSiON['user']="$username";
            $today = date("Y-m-d h:i:s");
            $query = "INSERT INTO login (username,logintime) VALUES ('$username','$today')";
            $result = mysqli_query($cxn,$query) or die ("could not execute query 3");
            header("Location: Successful.php");

     

    Printing out the values in the login table reveals the correct usernames, so clearly $username has a value at that point. I've tried both with and without the  doube quotes around $username, and with single quotes - nothing doing. Is it not setting the variable? Is it somehow writing a null value?

     



  • $_SESSiON['user']="$username"; // is $username set here? Try var_dump or something to that effect. Also turn on E_NOTICE It's your friend

    $query = "INSERT INTO login (username,logintime) VALUES ('$username','$today')"; //injection!

    error_reporting(E_ALL); // put this at the top of your script for debugging.


  • I survived the hour long Uno hand

     @Lingerance said:

    $_SESSiON['user']="$username"; // is $username set here? Try var_dump or something to that effect. Also turn on E_NOTICE It's your friend

    yes, because 2 lines later it inserts the correct value into the login table 

    $query = "INSERT INTO login (username,logintime) VALUES ('$username','$today')"; //injection!

    This is after I've already stripped special characters and ran it through mysqli_real_escape_string()

    error_reporting(E_ALL); // put this at the top of your script for debugging.

     will try

    ETA: sure enough, it returns Notice: Undefined index: user in E:\wamp\www\footer.php on line 11. How did that happen? did I forget to do something?



  • $_SESSiON['user']="$username";
    It's a stretch but possibly case is an issue? (PHP isn't case sensitive iirc).

    Also what does the cookie look like?


    @yamikuronue said:
    Notice: Undefined index: user in E:\wamp\www\footer.php on line 11.

    As I recall all you need to generate that specific notice is something like

    $array = array();
    ...
    if (isset($array['user'])) { //use array_key_exists instead, or make sure that value is set which defeats the purpose of using isset on it
      ...
    }
    

    It's quite possibly the most annoying thing about E_NOTICE.


  • I survived the hour long Uno hand

    @Lingerance said:

    $_SESSiON['user']="$username";
    It's a stretch but possibly case is an issue? (PHP isn't case sensitive iirc). 

     

     

    oh my god you're awesome. changing it to SESSION with the I properly capitalized yeilds " Logged in as: $username  ", which is easy enough to fix now that it's storing something at least. I really need to get that shift key fixed >.> (it doesn't register the inner half of the key anymore so half the time I get lowercase by mistake - really annoying when typing ()s)



  •  A few comments on the coding style, only to help you learn PHP better:

    @yamikuronue said:

    if (@$_SESSION['auth'] != "yes") {

    The @ is used to supress errors from function returns. It won't do anything here, because all you're doing is an (in)equality test.

    @yamikuronue said:

        echo "<p class='tiny' align='center'>";
        echo "<a href="login.php"> Log In </a></p>";

    echo is fine for outputting a variable or a short string, but if you're going to be doing multiple lines, or something where you'll have to escape a lot of quote characters, it's much easier and more legible to use a 'heredoc':

    echo <<<EOS
    <p class="tiny" align="center">
    <a href="login.php">Log In</a></p>
    EOS;

    and as a bonus, heredocs are essentially a multi-line "print" function, so variables will be interpolated within the heredoc's contents.

    @yamikuronue said:

    echo "{$_SESSION['user']}";
    and
    $_SESSiON['user']="$username";

    You're doing forcing the PHP interpreter to do a bit of useless work here. Create a string, insert a variable's contents into that string, then output it. A much more compact and efficient version would be to just output the variable itself:


    echo $_SESSION['user']

    In this case, it's just a few cpu cycles being wasted, and it's not even in a loop (is it?) so the performance hit is utterly negligible, but doing this inside a long busy loop, then the hit's going to add up.

    And as for your original question, if you're every wondering what the contents of an array (or any variable, for that matter) are, instead of a bunch of echos/prints to spit out what you expect is in there, use var_dump() or print_r() and let PHP spit out a nicely formatted string of exactly what it knows is in there. Something like


    echo '<pre>';
    print_r($_SESSION);
    echo '</pre>';

    will show you exactly what's stored in the session array. 

    I see your question's been answered already, but I'll just expand the answer with this: In PHP, function names are case insensitive. print(), Print(), pRiNt() are all the same thing. but $print, $Print, $PRinT, etc... all refer to different variables. Beats me why they did the language that way, but it's pretty high up on my list of why PHP has some of the stupidest designers in the world. 

     

     

     

     

     


  • I survived the hour long Uno hand

    Thanks for the help, guys. I've got another problem today, though : I can't seem to format a string to allow apostrophes in a text area and properly escape/replace/whatever them so that it can be sent to the database. I've tried a str_replace("'","&apos",$value), I've tried str_replace("/'","&apos",$value), I've tried the above with and without spaces, I've tried str_replace(chr(39),$value), I tried ereg_replace. Finally someone suggested using urlencode, so that's what's in the code below:

     

    foreach($_POST as $field => $value)
            {
                switch($field){

               //irrelevant test cases omitted

                   case "descrip" :
                    case "history" :
                    case "notes" :
                        if (!(ereg("^[A-Za-z0-9 /<>':,;.-]+$",$value) OR $value == "") ) {
                            echo "Invalid input in $field : $value <br>";
                            displayform();
                            exit();
                        }
                        $value = strip_tags($value, "<b><i><u></b></i></u><br>");
                        $value = htmlspecialchars($value);
                        $value = urlencode($value);
                        break;

               //more cases omitted

             $value = trim($value);
            }

            $cxn = mysqli_connect($host,$user,$password,$database) or die ("Could not connect to database");
            foreach($_POST as $field => $value)
            {
                $value = mysqli_real_escape_string($cxn,$value);
            }
             $query = "UPDATE Characters SET FirstName='{$_POST['firstname']}',MiddleName='{$_POST['middlename']}',LastName='{$_POST['lastname']}',Race='{$_POST['race']}',Class='{$_POST['class']}',Descrip='{$_POST['descrip']}',History='{$_POST['history']}',Notes='{$_POST['notes']}' WHERE id = '{$_POST['char']}'";
            echo $query;
            $result = mysqli_query($cxn,$query) or die (mysqli_error($cxn));

     

     

    my echo and my error:

    UPDATE Characters SET
    FirstName='Sophia',MiddleName='',LastName='Lockheart',Race='Weretiger',Class='Wilder
    4/Sorcerer 4/Cerebremancer 3',Descrip=' testing's',History=' ',Notes='
    ' WHERE id = '12'

    You have an error in your SQL syntax; check the manual
    that corresponds to your MySQL server version for the right syntax to
    use near 's',History=' ',Notes=' ' WHERE id = '12'' at line 1



  • mysqli_real_escape/add_slashes?

    FunFact: \ is the escape character not /


  • I survived the hour long Uno hand

    @Lingerance said:

    mysqli_real_escape/add_slashes?

    FunFact: \ is the escape character not /
     

     right, my typo there. It was right when it was in the program, I typod it just now. And I do real escape, as you'd see i fyou looked at the code.



  • Seriously I keep forgetting that, however I don't think SQL likes the commas in your UPDATE, try spaces.


  • I survived the hour long Uno hand


    @Lingerance said:

    Seriously I keep forgetting that, however I don't think SQL likes the commas in your UPDATE, try spaces.
     

     

    no, that' s correct. However, I found the issue - apparently what I thought was a pointer was instead a seperate variable, so everything I did to $value was then being discarded on the next foreach loop and it was then passing the original input without edits. A quick $_POST[$field] = $value; cleared that up. 



  • @yamikuronue said:

    [W]hat I thought was a pointer was instead a seperate variable, so everything I did to $value was then being discarded on the next foreach loop and it was then passing the original input without edits.
    There's a way to get a foreach loop to use a reference. I think it's foreach(&$array as $key => $val) { ... }



  • @yamikuronue said:

    A quick $_POST[$field] = $value; cleared that up. 
     

    In general, you should treat the $_POST/GET/REQUEST superglobals as read-only properties. You never know when some library or add-on is going to messing around with them, and if you're going in there and rewriting stuff, it could break them. I'd have rewritten your escape loop as follows:

    $dbvals = array();
    foreach($_POST as $key => $val) {
        $dbvals[$key] = escape_function_of_choice($val);
    }
    then use the $dbvals array in your query building string.

    @yamikuronue said:

    what I thought was a pointer

    PHP won't ever create a reference for you unless you explicity request one with the & operator.

    @yamikuronue said:

    I can't seem to format a string to allow apostrophes in a text area and
    properly escape/replace/whatever them so that it can be sent to the
    databas

    All you need is htmlspecialchars() which will convert the html-tag-breaking characters (single/double quotes, ampersand, and the angle brackets) into the equivalent character entities:

    <input type="text" name="somefield" value="<?= htmlspecialchars($value_to_spit_out) ?>" />

    The urlencode/decode functions should be used only when you're building a URL. They do space -> %20/+ type conversions. 

    And as for the database stuff, you've got a plethora of choices, which were mentioned above, as well as the (rather unsafe) roll-your-own type stuff such as str_replace(), preg_replace(), etc... 

    Oh, and one potential gotcha in your code:

    $value == ""

    Be careful with this sort of thing, as PHP will happily and silently convert zeroes and nulls and empty strings into one another:

    0 == '0': true
    '' == '0': false
    null == '': true
    null == '0': false
    null == 0: true

     


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.