Jump to content

why isn't conditional statement working?


raydona

Recommended Posts

Hi,

I asked a question about Tokens earlier. After debugging I've found the reason as to why my program isn't working. It's related to this statement:

if($token == $_SESSION['token'])
{ ........;
return true;
}
$token is generated in form using md5(uniqid()). When I echo both $token and $_SESSION['token'] before the if statement they both turn out to be the same. Yet for some reason the if statement is not being satisfied and is not returning true as it's supposed to do. (I've tried $token === $_SESSION['token'] as well.) I don't know if some kind of type casting or other is required for the conditional statement to work. Would be grateful for any suggestions. Edited by mac_gyver
removed links from copied text
Link to comment
Share on other sites

Hello,
Many thanks for the reply. I used var_dump() on both values and the following is obtained:

string 'be33cfc1f0eed02e8176d7281975b05e' (length=41)

string 'be33cfc1f0eed02e8176d7281975b05e' (length=32)

If there are any extra white-space/non-printing characters I don't know how to locate and remove them. I've used trim() but it's not solving the problem. Could you please suggest a solution.

Link to comment
Share on other sites

the correct length is 32, which the second one has. the first one has some extra non-printing characters in it somewhere. what does the 'view source' in the browser of the var_dump() output show?

 

what's the code that's responsible for setting the $token variable and if it is coming from a form, what is the code producing the form field it's being passed in?

Link to comment
Share on other sites

There seems to be 9 chars before the first "b" with these hex codes

 

0 - 0xEF
1 - 0xBB
2 - 0xBF
3 - 0xEF
4 - 0xBB
5 - 0xBF
6 - 0xEF
7 - 0xBB
8 - 0xBF

// copy/pasted first string
$str = "be33cfc1f0eed02e8176d7281975b05e";
$k = strlen($str);

echo '<pre>';
for ($i=0; $i<$k; $i++) {
    printf('%2d   0x%2s  %1s<br>', $i, dechex(ord($str[$i])), $str[$i]);
}
Edited by Barand
Link to comment
Share on other sites

Alternatively

$str = "be33cfc1f0eed02e8176d7281975b05e";
$k = strlen($str);

$x = unpack('c*', $str);

echo '<pre>';
for ($i=1; $i<$k+1; $i++) {
    printf('| %2d | %02X | %1c |<br>', $i, $x[$i], $x[$i]);
}
echo '</pre>';

Giving

|  1 | FFFFFFEF | ï |
|  2 | FFFFFFBB | » |
|  3 | FFFFFFBF | ¿ |
|  4 | FFFFFFEF | ï |
|  5 | FFFFFFBB | » |
|  6 | FFFFFFBF | ¿ |
|  7 | FFFFFFEF | ï |
|  8 | FFFFFFBB | » |
|  9 | FFFFFFBF | ¿ |
| 10 | 62 | b |
| 11 | 65 | e |
| 12 | 33 | 3 |
| 13 | 33 | 3 |
| 14 | 63 | c |
| 15 | 66 | f |
| 16 | 63 | c |
| 17 | 31 | 1 |
| 18 | 66 | f |
| 19 | 30 | 0 |
| 20 | 65 | e |
| 21 | 65 | e |
| 22 | 64 | d |
| 23 | 30 | 0 |
| 24 | 32 | 2 |
| 25 | 65 | e |
| 26 | 38 | 8 |
| 27 | 31 | 1 |
| 28 | 37 | 7 |
| 29 | 36 | 6 |
| 30 | 64 | d |
| 31 | 37 | 7 |
| 32 | 32 | 2 |
| 33 | 38 | 8 |
| 34 | 31 | 1 |
| 35 | 39 | 9 |
| 36 | 37 | 7 |
| 37 | 35 | 5 |
| 38 | 62 | b |
| 39 | 30 | 0 |
| 40 | 35 | 5 |
| 41 | 65 | e |
Link to comment
Share on other sites

Hi,

  I have included the following code that is relevant to the problem described above:

<?php

    class Token
    {  public static function generate()
       {  return Session::put('token'), md5(uniqid()));
       }

       public static function check($token)
       { $tokenName = 'token';

         if(Session::exists($tokenName) && $token ===
Session::get($tokenName))
         { Session::delete($tokenName);  
           return true;
         }
         return false;
       }
    }
///////////////////////////////////////////////////////////////
      class Session
      {
         public static function exists($name)
         { return (isset($_SESSION[$name])) ? true : false;
         }

         public static function put($name, $value)
         { return $_SESSION[$name] = $value;
         }

         public static function get($name)
         { return $_SESSION[$name];
         }

         public static function delete($name)
         { if(self::exists($name))
           { unset($_SESSION[$name]);
           }
         }
///////////////////////////////////////////////////////////////
    class Input
    {  
       public static function get($item)
       { if(isset($_POST[$item]))
         { return $_POST[$item];
         }
         return '';
       }
    }
//////////////////////////////////////////////////////////////

   if(isset($_POST['username']) && isset($_POST['password']))
   { if(Token::check(Input::get('token')))
     { $validate = new Validate();

       $validation = ................;

       if($validation->passed())
       { $user = new User();

         $login = $user->login(Input::get('username'),
Input::get('password'));

         if($login)
         { echo 'Success';
           Redirect::to('index.php');
         }
         else
         { echo 'Sorry, login failed!';
         }
       }     //validation passed
       else
       { foreach($validation->errors() as $error)
         { echo $error, '<br>';
         }
         echo "<script> setTimeout(\"location.href =
'index.php';\",30000); </script>";
       }
     }
   }
?>

<form action="" method="POST">
<P>
  <label for="username">Username</label>
  <input type="text" name="username" id="username"

autocomplete="off">
</P>
<P>
  <label for="password">Password</label>
  <input type="password" name="password" id="password"

autocomplete="off">
</P>
<P>
  <input type="hidden" name="token" value="<?php echo

Token::generate(); ?>">
  <input type="submit" value="LOG IN">
</P>
</form>

This is what 'view source' in the browser of the var_dump() output shows:

<pre class='xdebug-var-dump' dir='ltr'><small>string</small> <font color='#cc0000'>'e62862d9f9ce6cd41fc7873c53683108'</font> <i>(length=41)</i>
</pre><br><pre class='xdebug-var-dump' dir='ltr'><small>string</small> <font color='#cc0000'>'e62862d9f9ce6cd41fc7873c53683108'</font> <i>(length=32)</i>
</pre><br>
<form action="" method="POST">
<P>
<label for="username">Username</label>
<input type="text" name="username" id="username" autocomplete="off">
</P>
<P>
<label for="password">Password</label>
<input type="password" name="password" id="password" autocomplete="off">
</P>
<P>
<input type="hidden" name="token" value="695d40eec4673a3b8a36493c67cdfbd4">
<input type="submit" value="LOG IN">
</P>
</form>
Link to comment
Share on other sites

the characters being added are BOM (Byte Order Mark) characters, times 3. your posted php code/html don't appear to have them in it, though the process of editing/copy/pasting for the post could have removed the characters. i have never seen a case where a browser added BOM characters to form data values, so it's most likely that your php code/html has them in it, probably due to copy/pasting code from somewhere it was published at with BOM characters as part of it.

 

the code you didn't post was - 

 

what's the code that's responsible for setting the $token variable 

 

what code do you have that does anything with $_POST['token'] through to the point where $token gets set?

 

you can narrow down the problem further by using var_dump($_POST) at the start of your processing code; to see if the characters are coming in with the post data or if they are being added by the processing code.

Link to comment
Share on other sites

Hi,

  The code for setting the $token variable is:

 

       public static function generate()
       {  return Session::put('token'), md5(uniqid()));
       }

 

which is basically md5(uniqid()). Immediately after form is submitted I get:

 

string '9a0453403ae941b6ae5744882dce0f08' (length=41)

 

which suggests non-printing characters are inserted when $token is created.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.