timothyarden

Okay thanks for explaining that (and the link) David, it helps a lot I am already using session_destory() (I probably should have mentioned that sorry) I just dont understand why on php.net they say not to unset() the $_SESSION variable? Thanks for that r3wt, I won't use a second session for admin's

bump

Another question: In my logout script I am doing this: unset($_SESSION) But in the PHP manual it says "Caution: Do NOT unset the whole $_SESSION with unset($_SESSION) as this will disable the registering of session variables through the $_SESSION superglobal." It is currently having no problems and no errors so I don't understand what it means - could someone explain please? Thankyou

Thankyou for the posts r3wt and Psycho r3wt: Could you please expand on why you said: "don't rely on the session for authentication"? Is it for the same reason as further above where Jacques said if the data is updated it will not updated for that individual user until they log out? Psycho: Point 1 - Okay I won't check the database on each pageload - only for sensitive pages like mentioned earlier. Point 2 - Thankyou for explaining why ssl doesn't matter for sessions. If it isn't 100% secure is there any way I can increase it's security / any guidelines I need to follow? Point 3 - Could a hacker potentially copy a persons cookie and use it themselves - having the server see the cookies identifier and then grant access to the session data which is stored and modified on the server? Thanks for everyones help so far! EDIT: This is already in my code and executed on every page load function __construct( $SessionName = "developmentwebsite", $Secure = SECURE, $HTTPOnly = TRUE ){ // sec_session_start() if( ( ini_set( 'session.cookie_secure', 1 ) === FALSE ) || ( ini_set( 'session.cookie_httponly', 1 ) === FALSE ) || ( ini_set( 'session.use_only_cookies', 1 ) === FALSE ) ){ // Forces sessions to only use cookies. header( "Location: ../Error.php?error=Could not initiate a safe session (ini_set)" ); exit(); } $CookieParams = session_get_cookie_params(); session_set_cookie_params( $CookieParams[ "lifetime" ], $CookieParams[ "path" ], $CookieParams[ "domain" ], $Secure, $HTTPOnly ); if( !isset( $_SESSION ) ){ session_name( $SessionName ); session_start(); } session_regenerate_id(); $_SESSION[ 'Expiration' ] = NULL; // This will be 15 minutes later and have validation in another part of the script }

Also how do sessions use cookies and aren't they vulnerable through this?

Thankyou for your responses Jacques, Psycho and David For the purposes of this project there will be very little, if any changes to administrators once the application is launched. Once a user is admin, there should be no need to change admin status as these people are all part of an organisation and we can trust each other. But I had planned to set whether the user was an admin in the session and validate this from the database each pageload. So does this mean that sessions are 100% secure and can only be viewed and edited by the server scripts (unless the script displays them in some form)? Also does the above depend at all as to whether you have a secure connection with ssl? And thanks for that David, I'm leaning towards 15 minutes lockout.

Is it safe to use a session to validate whether or not a user is an administrator or not? (https is being used if it makes any difference) For example: $Administrator = // Get true / false from mysql database ; $_SESSION[ 'Administrator' ] = $Administrator; // And later use this to validate access to sensitive parts of a web application CheckAdmin( $_SESSION[ 'Administrator' ] ); Is this practice safe because the session is stored on the server and the client only has an identifier with which the server recognises that the session belongs to that client. If not could you explain why and how I could achieve what I am trying to do / fix any vulnerabilities that using a session to validate administrator access would have. Thanks in advance!

Not super experienced with this so I won't give you advice on the code because I may confuse you but I was thinking I should suggest that you use MySQLi within your script instead.

Still reading through the article. So far it has been a massive help. Thank you so much! I will probably still have some questions at the end of it though.

I guess there isn't any real reason for setting it in the script. I understand what it does though; setting the MySQLi connection to, when it sends queries to the database, have a max of 5 minutes before it times out.

Okay, thanks I'll read it and get back to you Thanks for all your help

I removed the invereted commas arround MYSQLI_OPT_CONNECT_TIMEOUT and the warning is gone - is that how it should be? (I got the code off a website.)

$DatabaseConnection -> options( "MYSQLI_OPT_CONNECT_TIMEOUT", 300 ); Does anyone know why this code is getting this error warning: Warning: mysqli::options() expects parameter 1 to be long, string given in... (definitely this line) This didnt help me: http://www.php.net/manual/en/mysqli.options.php

Also from your previous code will this code extract var_dump(self::$stat); // self refers to the class A var_dump($this->inst); // $this refers to the specific instance of A have the same effect as var_dump($this::$stat); // self refers to the class A var_dump(self->inst); // $this refers to the specific instance of A or have I missed the point

Thankyou for your post Jacques. Could you also explain what you mean by current object? (I understand current class). // I tried to look up objects but it didnt help http://www.php.net/manual/en/language.types.object.php Could you also explain what a method or attribute of an object is? "The -> operator is used to call a method or access an attribute of an object"; does this mean it can also be used in addition to :: to access static methods or an attribute of a class or is :: to be used exclusively for static methods and attributes of classes?

Hi Everyone, I am Struggling to understand the differences between "self", "$this", "::" and "->" and when / how to use them in classes. Any help would be appreciated, also if you could dumb it down to plain english that would help alot! Thanks in advance (In what I've been reading it's been saying stuff about static methods stuff and I'm not sure when / how this influences it - am I going down the wrong path?)

Yeah, I wanted a one line solution though haha the parenthesis work fine and make it easily readable also unless Im not reading your code right it would need 2 more elseif conditions - I just found it much simpler to it in the one line instead of 10 thanks for the tip though

Nevermind, managed to figure it out on my own, needed Parenthesis Example: $Files = TRUE; $Directories = NULL; isset( $Files ) ? ( isset( $Directories ) ? $a = "Files & Directories" : $a = "Files" ) : ( isset( $Directories ) ? $a = "Directories" : $a = "Neither" ); echo $a;

Hi, Just wanted to check with everyone that I am getting the Logic right with the use of the Ternary ? : Operator isset( $Files ) ? isset( $Directories ) ? __DisplayResults__( $Files, $Directories ) : __DisplayResults__( $Files, NULL ) : isset( $Directories ) ? __DisplayResults__( NULL, $Directories ) : $error = "Neither Directories or Folders are set"; So that should do the same as if( isset( $Files ) && isset( $Directories ) ){ __DisplayResults__( $Files, $Directories ); } elseif( isset( $Files ) ){ __DisplayResults__( $Files, NULL ); } elseif( isset( $Directories ) ){ __DisplayResults__( NULL, $Directories ); } else { $error = "Neither Directories or Folders are set" } Thanks

Didn't change the code at all, just restarted XAMPP and it started working - so not sure what was going on. Thanks heaps for your help.

Not sure what I am doing wrong and am not recieving any sql or php erros yet nothing is going into the database. error_reporting(E_ALL); ini_set('display_errors',1); function test(mysqli_stmt $stmt, array $args) { $refargs = array(); foreach ($args as $key => $value) { $refargs[] =& $args[$key]; } call_user_func_array(array($stmt, "bind_param"), $refargs); } $mysqli = new mysqli( 'localhost', 'root', '', 'database_name' ); $stmt = $mysqli -> stmt_init(); $stmt -> prepare( "INSERT INTO users (`username`,`name`) VALUES(?,?)" ); test($stmt, array('ss','testusername','testname')); $stmt -> execute(); if($mysqli -> connect_error || $mysqli -> connect_errno || mysqli_stmt_error($stmt) || mysqli_stmt_errno($stmt)){ echo 'MySQL Connection Error: ('.$mysqli -> connect_errno.')'.$mysqli -> connect_error ; echo mysqli_stmt_errno($stmt).' - '.mysqli_stmt_error($stmt); } else { echo "Success"; } $stmt -> close(); Any ideas?

Okay, thanks heaps Requinix, Will read over the call_user_func_array documentation and try to modify your code to suit my needs. Thanks again for your help. Will keep the topic open in case I need any more help.

Hi Everyone, I am using the bind_param() function and am building a function around it. I need an automated way of inserting a uncertain (unlimited) amount of parameters into this function. ie have the php code able to insert parameters into the bind_param() function on its own. So if it is given 3 parameters put them in as bind_param($param1,$param2,$param3) or if given 5 parameters bind_param($param1,$param2,$param3,$param4,$param5) I need a way of having the script insert them in for me. What I was thinking was having all of these parameters giving to a function above this as an array. I would then use a foreach loop to determine what type of value each value in this array is and create a string with the appropriate letters to have as the first parameter in the bind_param($value_types ... Then I need a way of cycling through this array and adding how ever many values it has, as individual parameters, to the bind_param() function. Thanks in advance, Timothy

Did this work?

$image_info = getimagesize($_FILES["file_field_name"]["tmp_name"]); $image_width = $image_info[0]; $image_height = $image_info[1]; http://stackoverflow.com/questions/8486414/check-image-dimensions-height-and-width-before-uploading-image-using-php then do an if checking the image height and width is below the maximum amount you would like