I've read about how CI handles sessions differently than native sessions and feel slightly insecure about storing all the data in a cookie(?), unlike PHP's native session which only stores the session ID(?). So I've decided to use native sessions without the CI native_session library.
Now, I know that the Input Class in CI validates Isset with a true/false statement like this:
if ($this->input->post('something'))
which renders the Isset function unable to work (it gives an error). However, I'd like to check my native sessions with the Isset function, so how can I do this? I've tried
if (isset($_SESSION['keyHere']))
which gives me an error.
So to sum up: I want to use Isset on my session array as I feel using
if ($_SESSION['keyHere'])
without the Isset might be 'dangerous/foolish'.
Also, as a last question I'm curious about which session handling you think is safest? CI's Session Class or PHP's native handling with server-side storage etc.? I'd very much like to feel as safe as possible when it comes to sessions, no matter if it means I'll have to write longer code.
Ok so, lets talk about the problem that you're having with isset!
i agree to all answers behind, the empty function its an good try, using array_key_exists too, but isset have your own place on php language.
At first you didn't post the error taht you're getting, bu as #GolezTrol saidyou're probally having trouble with session_start().
You need to put it on the top of the page, before any scripts. I would put this code before all scripts, and the best place to put it its inside the config/config.php page, at the start of it, or maybe on the root index.php
Using it, you will starting the session on all pages of your system.
Well, about your second question.
I think the session native of PHP its really secure, but the session of Codeigniter it's really nice too.
Codeigniter has some problems with the security, when we talk about cookies, if we are handling with important data of system, its hard to work with it, especially if someone else could edit it, thinking about all of it that i describe above, i could say that Codeigniter has a good seession library, even if we are working with important data.
If you don't believe on the security of cookie, just put on database, and you will have any trouble with it. The good thing its the ability and the facility to work with this class on everyplace of the system!
Actually i'm using the way of database, and i suggest it.
I would use array_key_exists instead of isset. isset also checks if the value is not null, so an array with an existing key but a value of null will still return false. You know it is an array and you want to check if a key exists, so it makes the most sense to use array_key_exists.
But that's not the problem. :D
I think you need to call session_start() first.
PHP's native session handling performs just fine as long as you are on a single webserver.
$data=$this->session->userdata("session variable");
if($data)
{
// do something
}
use this in your CI code files. it works for me all the time !
$logindata = $this->session->userdata('username');
if ($logindata !== FALSE)
{
//it exists
}
might help!
I've always used php function empty(); though it works differently if you don't know what you are doing.
If it's an empty array, it will
return FALSE
If it's NULL, it will return FALSE
I personally had little problems with the new session class in CI 2.0.2. Create a table called "sessions" and store the sessions in the database, using sess_use_database to true. Also set sess_encrypt_cookies to true, and lastly, if you want sessions to match with user IPs, use sess_match_ip. Oh, and make sure to set encryption key, which will make it even more secure.
PHP sessions are nice, but I personally like CI sessions better because it gives more flexibility. Especially when you are running multiple web heads with load balancer.
Hope that helps!
Why not use the built in CodeIgniter Session Class? it will provide the same functionality as the input class in regards to not forcing you to use isset().
It allows for encrypted sessions and uses it's own session implementation.
$this->session->userdata("keyHere"); // returns false if not set
You really should use the codeigniter session class. You can make it store the session data in the db so the cookie holds just a unique identifier. You can also set that cookie to be encrypted with the codeigniter security key.
Then, when you access session information, it acts like the normal input methods and so you can just do if($this->session->userdata('name')) rather than using isset or empty or whatever.
Related
I'm new to backend programming. I chose the laravel framework. Already learned the basics. During the study, the question arose: is it necessary to use the form to transfer data to the server ?. For example: the deletion route looks like this to me
Delete.
If I leave it, will it be a mistake? Maybe advise an article or something. Thanks in advance
Short answer is no, it's not necessary, but you should (if you're bound to HTML only).
The HTTP standard has different methods for different purposes. Using an anchor tag will always make a HTTP GET request to the link/server, which is not ideal, GET request should never change the remote (server) state, that's a job other methods (POST, PUT, DELETE, PATCH), you should try to use the method that better describe what you're trying to do: in your case I suppose you're trying to delete a complaint, so a DELETE or POST is what you're looking for.
The only way to use make a non GET request in plain HTML* is to use <form>. Also if you're planning to use a method different from POST you should take a look at Laravel's #method here
Mind that if you can and want to use JavaScript to perform your request you totally can, dropping the requirement to have use form (docs and docs).
I have a listing page for an e-commerce website with various items (item_list.php). This page is generated with a PHP loop and displays each item inside a <li> element. Every item is a link to the same page, called item_details.php .
When clicking on the link i want to run a script that changes a SESSION var to a certain $id (which will be excracted from the <li> itself with .innerHTML function) and then allowing the browser to move into the next page (item_details).
This is needed so i can display the proper information about each item.
I think this is possible with Ajax but I would prefer a solution that uses JS and PHP only.
(P.S.This is for a University project and im still a PHP newbie, i tried searching for an answer for a good while but couldn't find a solution)
No JS or other client-side code can set session values, so you need either an ajax call to php, or some workaround. This is not a complete answer, but something to get you thinking and hopefully going on the project again.
The obvious answer is just include it in the link and then get it in PHP from the $_GET -array, and filter it properly.
item title
If, however, there is some reason this is not a question with an obvious answer:
1.) Closest what you're after can be achieved with a callback and an ajax call. The idea is to have the actual link with a click function, returning false so the link doesn't fire at once, which also calls an ajax post request which finally will use document.location to redirect your browser.
I strongly advice against this, as this will prevent ctrl-clicks causing a flawed user experience.
Check out some code an examples here, which you could modify. You will also need an ajax.php file which will actually set the session value. https://developers.google.com/analytics/devguides/collection/analyticsjs/enhanced-ecommerce#product-click
2.) Now, a perhaps slightly better approach, if you truly need to do this client-side could be to use an click handler which instead of performing an ajax call or setting session directly, would be to use jQuery to set a cookie and then access this data on the item_list.php -page.
See more information and instructions here: https://www.electrictoolbox.com/jquery-cookies/
<script>
$('product_li a).click(function(){
$.cookie("li_click_data", $(this).parent().innerhtml());
return true;
});
</script>
......
<li class="product_li">your product title</li>
And in your target php file you check for the cookie. Remember, that this cookie can be set to anything, so never ever trust user data. Test and filter it in order to make sure your code is not compromised. I don't know what you want to do with this data.
$_COOKIE['li_click_data'];
3.) Finally, as the best approach, you should look at your current code, and see if there is something you can re-engineer. Here's a quick example.
You could do the following in php to save an array of the values in the session on each page load, and then get that value provided you have some kind of id or other usable identifier for your items:
// for list_items.php
foreach($item as $i) {
// Do what you normally do, but also set an array in the session.
// Presuming you have an id or some other means (here as item_id), to identify
// an item, then you can also access this array on the item_details -page.
$_SESSION['mystic_item_data_array'][$i['item_id]] = $i['thedata'];
}
// For item_details.php
$item_id = // whatever means you use to identify items, get that id.
$data_you_need = $_SESSION['mystic_item_data_array'][$item_id];
Finally.
All above ways are usable for small data like previous page, filters, keys and similar.
Basically, 1 and 2 (client-side) should only be used, if the data is actually generated client-side. If you have it in PHP already, then process it in php as well.
If your intention is to store actual html, then just regenerate that again on the other page and use one of the above ways to store the small data in case you need that.
I hope this gets you going and at least thinking of how to solve your project. Good luck!
I use codeigniter as my framework and in the top of my controllers I am going to add a line of code that will send the uri_string (the last page the user requested) to a library which will send it into the users session and possibly eventually into a database.
My question is whether or not I need to validate this uri_string() at all or whether it is safe as is?
Simple answer, if in doubt validate it.
For the short time it will take you to code it you will have peace of mind.
Also, if this is going to happen for all you controllers may I suggest that you either add the function call to the construct of each controller or extend the core controller to include the call in its construct.
Keep in mind that the 'permitted_uri_chars' item in config.php will automatically prohibit any URL that contains non-permitted characters. So, as long as you haven't modified that to include potentially malicious characters, you should be ok. From the comments in config.php:
By default only these are allowed: a-z 0-9~%.:_-
However, as Rooneyl mentions, it probably wouldn't hurt anything to sanitize it anyway.
Why does CodeIgniter's XSS filter only react through regular expressions on specific things instead of sanitizing all input in the first place regardless if the content is tainted or not? Also, why is this done during input and not on output (like it's supposed to be?)
Why does CodeIgniter's XSS filter only react through regular expressions on specific things instead of sanitizing all input in the first place regardless if the content is tainted or not?
This doesn't make much sense. How are we to tell whether or not something is "tainted" without checking it first?
By the definition of CI's xss_clean(), we don't always want to sanitize input. As you mentioned, it's the output that matters - and that's where we need to be mindful of XSS atacks. If we always "sanitize" input with CI's xss_clean(), then how would I, for one example, be able to post javascript or PHP code examples on my blog, or let users do it in the comments? It would end up getting [removed].
Also, why is this done during input and not on output (like it's supposed to be?)
You do have the option to enable the global xss filter in your CI config, which will run xss_clean() on $_POST, $_GET, and $_COOKIE data automatically before you can get your hands on it. This is the lowest level possible to protect you from yourself, bu the option is always available to instead clean the data explicitly. For example:
// With the Input class on $_POST data
$this->input->post('username', TRUE); // Second parameter runs xss_clean
// Using the Security class on any data
$this->security->xss_clean($username);
// Using the Form Validation class to automatically clean the input
$this->form_validation->set_rules('username', '', 'xss_clean');
Since you could still simply use $_POST['username'] instead, by enabling the global filter it will already be xss_cleaned for you. This is the lazy way to do it, and unfortunately once those globals are cleaned, there's no way to undo it.
If you are already aware of when and where XSS attacks can happen - you have the function easily available to use if you wish. Keep in mind that this does not magically make all data "safe", it merely prevents some of the more malicious code injection. Something more harmless like </div> will get past this filter. You should always be sanitizing input explicitly in an appropriate way for the context in which it is used.
I am working on a guess-a-number game with Ruby that will be online. I know I need to pass the SESSION somehow to keep the number that they are guessing, but I have tried a ton of methods with no luck. My code is here.
Any thoughts on what I can do get this code working? I have declared each of my sections.
A session is, usually, a combination of a cookie (session cookie), or some session id tacked onto the url, which has some unique identification of the current "session" and a way to save the data on the server and retrieve it when given the id from the cookie.
So I would set a cookie based on for example ip + Time.now.to_i and then save that ID and the values I want set into a database or a text file on the hard drive. Note that there is probably a lot better ways to create a unique ID but aim for the simple stuff first. :)
I also recommend that you look into CGI::Session which you require with require 'cgi/session'.