[RESOLVED] SESSION Varuables, saving & retrieving

Rivet

PHP 5.3, Win 7, XAMP 1.7.3 local server, + a website with PHP 5.4 served.
3 forms: form.php, formcheck.php and thanks.html. Code is below.

I guess my methodology might be best to start witn in case it's all wrong. 😕

It's always seemed logical to get the security issues with access taken care of first, rather than on a 2nd or 3rd page. To that end, I'd like to put the initial security issues right up front onf the form.php just above the actual form input data.

On form.php:
First I create a random number using mt_rand and have the user type it into an input box, type=text, etc. which I assign to $d and follow it with the remaining inputs needed. No problem, all $_POST info echoes fine in formcheck.php.

Problem: Validating the random code.
In formcheck.php I have what the user entered as the code. BUT I cannot get at the 'code', OR the $d I assigned it to.
In other words, I have what the user eneterd, but I cannot get at the original random number to compare it to for validation. So I can't check if the 'code' the user entered and th eoriginal random number are the same!

Since I canot get at the original code from a POST, I decided to try using SESSION()s.

Here are the two pages' codes; minimized for my own clarity and TSing.

So I end up with 2 questions:
1. Is SESSION a reasonable way to get the info to other pages? Or is there an easier way?
All the sample code I've been able to find brings this question up:
2. In formcheck.php, WHERE can the $_SESSION[... be located in a script?
All the examples show it coming immediately after the session_start() but that feels like asking for something that hasn't existed yet. But a session, which any page could access, sounds like the answer but of course it won't work for me!🙁 I get an undefined index error in formcheck.php.

Here are the codes:

 form.php

<?php
session_start();
$_session['key']='code';
?>
<!DOCTYPE html>
<head>
<title> Contact Form</title>
</head>
<body>
<html>
<?php
echo "<H1> Contact Form </H1>";
   $a= mt_rand(nnn,nnn);
   $b= mt_rand(nnn,nnn);
   $c= mt_rand(nnnnn);
   $d=($a.$b.$c);
   echo "Your Temporary Code is : " . $d."<br />" ;
?>
<form action="formcheck.php" method="post">
<p> Enter your temporary code here : </b> <input type="text" name="code" size="14 "  maxlength="12">  ,including dashes. <br />
<p> Enter Your Name :  <input type="text" name="name" length="20" maxlength="25" value="Tom Rivet" <br /> </p>
<p> Your E-mail Address : <input type="text" name="email" size="30" maxlength="40" value="nobody@spamcop.net" <br />
<p> <input type="submit" value="Send "> </p>
</form>
</body>
</html>

and

 formecheck.php:

<?php
session_start();
/* Set e-mail recipient */
$myemail  = "nobody@kspamcop.net";
echo "<br />"."My E-mail: ".$myemail."<br />";
echo "======================="."<br />";

$code=($_POST['code']);
echo "Your temporary code was: ".$code."<br />";
echo "======================="."<br />";

// Verify the code is correct:
  // use session?  Can't get sessions to work

$name=($_POST['name']);
echo "Your Name is: ".$name."<br />";
if (count(explode(' ', $name)) >2) {
  echo "You used too many names-use 1 or 2 names only."."<br />"."Go back and try again"."<br />";
}
echo (strlen($name)-1)." letters<br />";

echo "======================="."<br />";

 echo "Server IP is: " . $_SERVER['REMOTE_ADDR'];
echo "<br />"."======================="."<br />";
?>

An earlier question just occurred to me:
3. Is there a way to get the random number $d into a $_POST to use?

TIA,

Rivet`

sneakyimp

Putting the random value stored in $d into a POST value is probably not going to be secure. Any script kiddie could probably figure out that for the form to work $POST["d"] just needs to equal $POST["code"] and just engineer their exploit to take this into account. That said, your instinct to go with sessions is a good one.

As a general rule, you should probably define all of your PHP variables before you output any text (HTML, RSS, XML, whatever) to the browser at all. The reason for this is that certain PHP commands (such as [man]header[/man]) can only be called before you have sent any information to the browser.

Your code is close, but you'll need to put $d into a $SESSION slot before you move from one page to another:

<?php
// form.php
// call this before you try to assign any values to $_SESSION and check its result
if (!session_start()) {
  die("Session failed to start!");
}

$a= mt_rand(nnn,nnn);
$b= mt_rand(nnn,nnn);
$c= mt_rand(nnnnn);
$d=($a.$b.$c);
// put $d into the session so you can check it on subsequent pages
$_SESSION["d"] = $d;

// not sure what this is for?
$_session['key']='code';
?>
<!DOCTYPE html>
<head>
<title> Contact Form</title>
</head>
<body>
<html>
<h1> Contact Form </h1>
<?php
   echo "Your Temporary Code is : " . $d . "<br />" ;
?>
<form action="formcheck.php" method="post">
etc...
?>

Then, on formecheck.php, you can compare the value the user entered in the text input field with name="code" to the value stored in session:

<?php
// always call this first before trying to set values in $_SESSION
session_start();

/* Set e-mail recipient */
$myemail  = "nobody@kspamcop.net";
echo "<br />"."My E-mail: ".$myemail."<br />";
echo "======================="."<br />";

// NOTE:  you should probably check to make sure $_POST["code"] has been defined before you start working with it
$code=($_POST['code']);
echo "Your temporary code was: ".$code."<br />";
echo "======================="."<br />";

// Verify the code is correct:
if ($code != $_SESSION["d"]) {
  die("The code was " . $_SESSION["d"] . " but nooooo, you had to enter " . $code);
}

// etc...
?>

bradgrafelman

Rivet;11028985 wrote:
Since I canot get at the original code from a POST, I decided to try using SESSION()s.

Well, there are a couple of ways you could do this - more on that in the answer to Q2 below.

Rivet;11028985 wrote:
Is SESSION a reasonable way to get the info to other pages? Or is there an easier way?

It certainly is one way of doing things (others might include cookies, query strings, and hidden form elements). And, in my opinion, browser cookie settings aside, it's pretty easy/simple to use as well.

Rivet;11028985 wrote:
2. In formcheck.php, WHERE can the $_SESSION[... be located in a script?

Anywhere you like, assuming you've (successfully) started the session first via [man]session_start/man.

Rivet;11028985 wrote:
All the examples show it coming immediately after the session_start() but that feels like asking for something that hasn't existed yet.

Not sure what you mean... if you store something in a session variable, it will be immediately available on any other request after you call session_start().

Rivet;11028985 wrote:
But a session, which any page could access, sounds like the answer but of course it won't work for me!🙁 I get an undefined index error in formcheck.php.

While you should always verify that session data exists (just like any other external variable), if you're not able to access session data that you know was previously set, you might have an issue with the session ID not being propagated correctly. Simple way to debug this is to output [man]session_id/man on the different page loads (again, after starting the session) and verify that it does not change.

Having said that, can you show us the code you tried? Your current code snippet for "formecheck.php" doesn't make use of any session variables. Likewise, you're assigning a constant value to $_SESSION['key'] in form.php as opposed to something that I would think is more useful, namely the value stored in $d.

Rivet;11028985 wrote:
3. Is there a way to get the random number $d into a $POST to use?

See above - you could use a hidden form field (or the query string assuming $GET is just as acceptable as $_POST).

Rivet

Thank you! I think you've taught me how to do it!
What I wouldn't have thought of in a million years is:
"
$_SESSION["d"] = $d;
"
1. Can I assume that "d" could be anything (e.g. "stupid" instead of "d"? Or is there a causal relationship between "d" and "$d"?

Best Regards

sneakyimp

Rivet;11029009 wrote:
1. Can I assume that "d" could be anything (e.g. "stupid" instead of "d"? Or is there a causal relationship between "d" and "$d"?

$_SESSION is an associative [man]array[/man] -- meaning a collection of values, each of which can be set or accessed by an associative key. An "associative key" is a string that you can use to specify a particular member of the array.

In this case, d is our associative key and we are setting $SESSION["d"] to hold the contents of the variable $d:

$_SESSION["d"] = $d;

You can define a whole bunch of different members of $SESSION if you like:

session_start(); // you always have to call this before getting or setting values in $_SESSION
$_SESSION["comedian"] = "Louis CK";
$_SESSION["d"] = $d;
$_SESSION["the_answer_to_the_universe"] = 42;
$_SESSION["some_array"] = array(0, 25, 50);

Rivet

bradgrafelman;11028999 wrote:
Well, there are a couple of ways you could do this - more on that in the answer to Q2 below.

It certainly is one way of doing things (others might include cookies, query strings, and hidden form elements). And, in my opinion, browser cookie settings aside, it's pretty easy/simple to use as well.

[ME]:
I thought about cookies and had that working but discarded it because I didn't want things to be so easy to see in the clear. Also a lot of people don't allow 3rd party cookies, some not even 2nd party cookies.
I don't know SQL yet; too much of a newbie & too much to lern with all the newbie problems I'm having with some of the PHP nuances.
[/ME]

...
Not sure what you mean... if you store something in a session variable, it will be immediately available on any other request after you call session_start().
[ME]:
That's the part I'm having problems with; my assignments weren't correct.
[/ME]

...

Having said that, can you show us the code you tried? Your current code snippet for "formecheck.php" doesn't make use of any session variables. Likewise, you're assigning a constant value to $_SESSION['key'] in form.php as opposed to something that I would think is more useful, namely the value stored in $d.
[ME]:
I tried that, I'm pretty sure and it resulted in "undefined" or syntax error, depending on which attempt it was.
[/ME]

See above - you could use a hidden form field (or the query string assuming $GET is just as acceptable as $POST).

Thanks much; between you and sneakyimp I think I have a handle on it, though I want to go completely through it to be sure I hve it dow n before I mark this as resolved.

Rivet`

bradgrafelman

Rivet;11029015 wrote:
Also a lot of people don't allow 3rd party cookies, some not even 2nd party cookies.

Unless you see "?PHPSESSID=123456789abcef" (where the value is some random string of characters representing the session ID) appended to the query string of every URL, then you are using cookies when you start/resume a session; the cookie is what passes the session ID from one request to another - see [man]session.idpassing[/man] for more info.

Rivet

Thanks brad; I'm not usinug cookies but Sessions to pass the variables.
Unless you're telling me something I'm not aware of. I do not see the ?PHPSESSID=...

So as far as I know, nothing is showing in any place.

Regards,

Rivet`

bradgrafelman

Rivet;11029027 wrote:
Thanks brad; I'm not usinug cookies but Sessions to pass the variables.
Unless you're telling me something I'm not aware of. I do not see the ?PHPSESSID=...

If you aren't passing the session ID in the URL, then you are using cookies to pass the session ID. Thus, without mangling all of your URLs to add the session ID to the query strings, the only difference between using cookies vs. sessions is where the data is stored. Both methods require the client's browser to accept and use cookies.

sneakyimp

It's important to realize that every time your browser requests a page from the server, it must either provide its session ID or there will be no possibility of sessions at all. HTTP is a "stateless protocol" -- meaning that there is nothing inherent in the HTTP specification which keeps track of a particular user between subsequent page requests. To get around this statelessness, the server generates a session ID and hands it to a visitor -- usually on their first page request as a set-cookie header which instructs your browser to store the session ID as a cookie.

When you make your second (or nth) page request, your browser should send the cookies back. The server will take note of the session ID and use it to locate whatever session data you had stored previously.

Think of the web server as the valet at a fancy restaurant. When you show up and give them your car keys, they give you a ticket stub which you must present to get your car back. This ticket stub is a like a session id. If you come back without it, they won't know which car is yours. Similarly, if you don't hand the session ID to the web server when you come back, the server will have no idea which session was yours.

bradgrafelman

sneakyimp;11029035 wrote:
Similarly, if you don't hand the session ID to the web server when you come back, the server will have no idea which session was yours.

And instead, PHP will simply start a brand new session and give you a new ID.

Unfortunately, the same doesn't happen with valet parking.

Weedpacket

bradgrafelman;11029031 wrote:
If you aren't passing the session ID in the URL, then you are using cookies to pass the session ID. Thus, without mangling all of your URLs to add the session ID to the query strings, the only difference between using cookies vs. sessions is where the data is stored. Both methods require the client's browser to accept and use cookies.

As it says in the manual's Introduction to Sessions:

The Manual wrote:
A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.