advice on sessions and security

ashley98860615

I have only recently started to learn PHP and have been following tutorials to help me along the way. I have implemented a system via the tutorial at: http://www.php-mysql-tutorial.com/cms-php-mysql.php with a few modifications to suit my site better.

My site is set out using a pages directory and a common index page where i use a $_GET code for dynamic linking (i'm not so sure this is very secure either??) but when trying to access an adminstration section (obvisously in a different directory) the session doesn't hold, is there something i am doing wrong.

The basic code (not for the adminstration pages) i am using to check session details is:

<?php
// logged in or not?
if (!isset($SESSION['image_is_logged_in']) || $SESSION['image_is_logged_in'] !== true) {
echo '<a href="./index.php?page=loginprofile">Login</a> or <a href="./index.php?page=register">Register</a>' ;
}
else {
echo '<a href="./index.php?page=logout">Logout</a>' ;
}
?>

Basically am i doing something wrong or am i using the wrong method? Also is using $_SESSION secure enough?

ttfn

HP400

you need the

session_start();

at the top of every page

As far as using GET for dynamic pages don't worry. Really the only thing you have to do is verify the $_GET variable. So if you have a page...

product.php?prod_id=56

Just verify prod_id is an integer. You can use the is_numeric function or custom implement an is_int function that accepts strings (there is one in the comments on the php is_int documentation page).

As long as you don't allow stuff like...

product.php?prod_id=56'DELETE FROM products;

ashley98860615

it seems to keep me logged in for the adminstration section but the included navigation file says im not, strange but i guess it doesn't matter too much.

What happens if i am using names for pages and not numbers? I found this from zend but im not sure how to add it into my function (shown below the below function):

if (ereg("^[a-z]+\.html$", $id)) { 
        echo "Good!"; 
    } else { 
        die("Try hacking somebody else's site."); 
    }

$file = $_GET['page'];
if (!isset($file)) {
  include"./pages/home.php";
} else {
  include"./pages/$file.php";
}

HP400

You could take it one step farther and add the

if (file_exists($file))
incluude_once $file;

Is your menu in the include file? Does the main page that includes this file have the session_start()?

ashley98860615

basically my file system is:

admin
includes
[INDENT] header
footer
navigation[/INDENT]
library
[INDENT]dbstuff[/INDENT]
pages
[INDENT]home
news
login
register[/INDENT]index.php
looks.css

The index page includes a session_start() at the very top.. the code i posted previously is after this - is this what you mean?

HP400

Hmmm still difficult to see whats wrong. In regards to your code above you could easily just do a

if (!$_SESSION['image_is_logged_in'])

ashley98860615

i dont understand how to check that the string is correct?

to take it one step further how can you read the contents of a directory like in phpnuke but with php files instead of directories?