Viewed   44 times

I have the following login script, where i do use sessions.

<?php
session_start();
if(isset($_SESSION['logged_in'])){
    $id = $_SESSION['id'];
    header("Location: start.php?id=$id");
    exit();
}

if(isset($_POST['submit'])){

    $x1 = $_POST['x1'];
    $x2 = $_POST['x2'];
...
$query = $db->query("SELECT * FROM table WHERE x1='".$x1."' AND x2='".$x2."'");
        if($query->num_rows === 1){

            $row = $query->fetch_object();
            $id = $row->id;

                        $_SESSION['logged_in'] = true;
            $_SESSION['id'] = $id;
            header("Location: start.php?id=$id");

                        3more queries
                        exit();

start.php will be just:

<?php
echo $_GET['id'];
?>

I thought $_GET['id'] would be stored on the server so that $_GET should be displayed. The fetch_object is working. I know that, because it will be displayed the right way at "id=$id" at the browser. So would someone be that friendly and could help me out. Thanks!

 Answers

2

The $_GET superglobal is defined as part of the URL string:

http://example.org/index.php?foo=bar&baz=1

In index.php:

echo $_GET['foo']; // bar
echo $_GET['baz']; // 1

So $_GET is not stored on the server, but is passed with each HTTP request, as is $_POST, but that is passed in the HTTP headers rather than simply appened to the end of the URL.

Wednesday, September 28, 2022
 
alankar
 
1

You can modify another users session (see below), although personally, I would recommend against it. As I imagine it can open up a whole world of session hijacking and other vulnerabilities.

With your example use case

A common user is logged, while in the same time an administrator uses the Admin functions and change some value for this user. If the value is not something obtained from the database every time, the session variable for that current logged in user need to have its value changed.

You would be better of updating the value in the database and then just checking to see if it's changed before you process the next page. If you don't want to be checking multiple user fields before each page load then when you update the user in the admin panel, you can build a hash of the values and add it to a new column called session_hash. Then just compare this field on page load

But if you still want to modify another user's session, you can set your current session_id to the targets.

// End my current session and save its id
session_start();
$my_session_id = session_id();
session_write_close();

// Modify our target session 
session_id($target_id);
session_start();
$_SESSION['is_logged_in'] = false;
session_write_close();

// Start our old session again
session_id($my_session_id);
session_start();

EDIT

Example: https://www.samdjames.uk/session_example/index.php

Example Src: https://gist.github.com/SamJUK/c220e3742487567c6262238edf85695e

Monday, December 5, 2022
 
5

Instead of setting the time in ini to a fixed length, remind that session timeout is reset on reload. So create some ajax code that does a request every 5 minutes or so to a file (image or smth). This way the timer is reset every 5 minutes and users can spend a day filling out your forms.

Saturday, November 5, 2022
 
3

Use CURL.

<?php
        // create curl resource
        $ch = curl_init();

        // set url
        curl_setopt($ch, CURLOPT_URL, "example.com");

        //return the transfer as a string
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);


        // set the UA
        curl_setopt($ch, CURLOPT_USERAGENT, 'My App (http://www.example.com/)');

        // Alternatively, lie, and pretend to be a browser
        // curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

        // $output contains the output string
        $output = curl_exec($ch);

        // close curl resource to free up system resources
        curl_close($ch);     
?>

(From http://uk.php.net/manual/en/curl.examples-basic.php)

Sunday, November 27, 2022
 
2

First:

Construct your $Language argument as an actual PowerShell array; what you attempted creates a multil-line string instead.

Creating that array should be as simple as:

$Language = $PackageConfigFile.Language -replace '$', '.txt'

-replace, with a collection (array) as the LHS, operates on each item in the collection individually; '$', '.txt' effectively appends .txt to the end ($) of each input item, and the resulting modified elements are collected in $Language as an array, of .NET type System.Object[].

Second:

Do not enclose $Language, your array argument, in "...".

Get-ChildItem $InstallDirLang* -Exclude $Language | Remove-Item -WhatIf

If you enclose an array variable in "...", PowerShell converts it to a single string, composed of the array elements concatenated with the value of preference variable $OFS, which defaults to a space; e.g.:

PS> $arr = 'a', 'b', 'c'; "[$arr]"
[a b c]

For readers coming from a UNIX / bash background:

PowerShell variables do NOT need to be double-quoted when they're passed to other commands, whatever they may contain (spaces or other shell metacharacters).

When calling PowerShell-native functionality (cmdlets, functions, scripts), the variable's original type is preserved as-is (the ability to use the .NET Framework's rich type system is the core feature that exemplifies PowerShell's evolutionary quantum leap in the world of shells).

Only use "..." if you explicitly want to pass a string to the target command.

Thursday, September 8, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :