ajoo

Hi thanks for the reply. I would like to ask that in that case what should I use on the rest of the pages ? Would a simple session_start() suffice ? How safe would that be for session security? Kindly clear my doubts. Thanks !

Hi all, I have been coding in php now for almost an year but yet i feel like a newbie when it comes to sessions !! That's an honest confession. Like many newcomers I too came across the sec_session_start() which is a common function that is easily found on the net for people looking for a secure login script. Here is the function: function sec_session_start() { $session_name = 'secure_session_main'; // Set a custom session name $secure = false; // Set to true if using https. $httponly = true; // This stops javascript being able to access the session id. ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies. $cookieParams = session_get_cookie_params(); // Gets current cookies params. session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); session_name($session_name); // Sets the session name to the one set above. session_start(); // Start the php session session_regenerate_id(TRUE); // regenerated the session, delete the old one. } I used it in my login page and on the other pages of my application. It seemed to work fine and then it started to create problems. I wrote about it on this forum. Every time I would click on a button or a link on my page, i would get logged out. I discussed that issue on this forum but no solution was found. Then I found that if I removed the (TRUE) from the session_regenerate_id(), things became fine. So I removed the TRUE and proceeded wanting to come back here at a later time like now. I was actually quite pleased that I had found a solution to my problem. But now while reading more on session_regenerate_id, I came across a number of articles that said that not using session_regenerate_ID with the argument TRUE is not effective in preventing session hijacking or was it session fixation. The articles pointed as also some of the answers to the questions in the forums that session_regenerate_id should be used only when 1. logging in, 2. logging out & 3. when privileges change. However I am using this sec_session_start on each and every page of my application instead of using session_start() and I want to use this function to use the session_regenerate_id(TRUE) since that it seems is more effective against the session attacks. The latest issue that I have encountered is the generation of an error message that says " session_regenerate_id(true) failed. I would like to ask if I my using the sec_session_start() on each and every page is incorrect & too oft used usage of the function. In that case what should I use on the beginning of each of those pages to start a session? I would like to know if there is any flaw in my thought process above? And anything else related that would shed some more light on using the session_regenrate_id(TRUE) in the above function. Basically the right way to initiate a new session securely . PS - my program seems to work correctly otherwise. Even when the error is generated "session_regenerate_id(true) failed", the variables in the application remain intact and save properly. If I remove the (TRUE) all problems seem to cease but then, like I mentioned above, the discussions I have read say that that usage is ineffective against session attacks. Thanks loads.

HI CroNIX, Thanks for the reply. I think I found what the problem is anyways. Thanks !

Hi all ! The following code has two similar queries. Query 1 and Query 2. While Query 1 works just fine, Query 2 simply fails persistently. I have not been able to figure out why? I have checked every single variable and field names but found no discrepancy of any sort or any mismatch of spelling with the fields in the database. I would be grateful if anybody can point out what is preventing the second query from returning a valid mysqli object as the first one does. Here is the code for the two. <?php $db_host = "localhost"; $db_user ="root"; $db_pass =""; $db_database ="allscores"; //////////////// CHECKING VARIABLE FILEDS IN A UPDATE QUERY ////////////////////////////////// //////////////// QUERY 1 ///////////////////////////////////////////////////////////////////// /* $db_database ="test"; $db_table ="users"; $RecNo = 1; $field1 = 'name'; $field2 = 'password'; $field3 = 'email'; $field4 = 'id'; $val1 = "Ajay"; $val2 = "howzatt"; $val3 = "me@mymail.com"; $con = mysqli_connect($db_host,$db_user,$db_pass,$db_database) or die('Unable to establish a DB connection'); $query = "UPDATE $db_table SET $field1 = ?, $field2 = ?, $field3 = ? WHERE $field4 = ? "; // session terminated by setting the sessionstatus as 1 $stmt = $con->prepare($query); var_dump($stmt); $stmt->bind_param('sssi',$val1,$val2,$val3,$RecNo); if($stmt->execute()) { $count = $stmt->affected_rows; echo $count; } //////////////// QUERY 1 END ///////////////////////////////////////////////////////////////////// */ //////////////// QUERY 2 ///////////////////////////////////////////////////////////////////// $con = mysqli_connect($db_host,$db_user,$db_pass,$db_database) or die('Unable to establish a DB connection'); $table = 'scores'; $date = date('Y-m-d H:i:s'); /* $prestr = "Mrt_M_"; $STATUS = $prestr."Status"; $S_R1 = $prestr."Scr_1"; $S_R2 = $prestr."Scr_2"; $PCT = $prestr."PPT"; $DPM = $prestr."DSP"; $TIMETAKEN = $prestr."TimeTaken"; */ $STATUS = "Mrt_M_Status"; $S_R1 = "Mrt_M_Scr_1"; $S_R2 = "Mrt_M_Scr_2"; $PPT = "Mrt_M_PPT"; $DSP = "Mrt_M_DSP"; $TIMETAKEN = "Mrt_M_TimeTaken"; $TimeOfLogin = $date; $no_of_logins = 10; $time_of_nLogin = $date; $m_scr_row1 = 5; $m_scr_row2 = 5; $m_ppt = 20; $m_dsp = 60; $m_time = 120; $date = $date; $RecNo = 24; $query = "UPDATE $table SET TimeOfLogin = ?, no_of_logins = ?, time_of_nLogin = ?, $S_R1 = ?, $S_R2 = ?, $PPT = ?, $DSP = ?, $TIMETAKEN = ?, $STATUS = '1', TimeOfLogout = ?, WHERE RecNo = ?"; $stmt = $con->prepare($query); var_dump($stmt); $stmt->bind_param('sisiiddssi',$TimeOfLogin,$no_of_logins,$time_of_nLogin,$m_scr_row1 $m_scr_row2,$m_ppt,$m_dsp,$m_time,$date,$RecNo); if($stmt->execute()) echo " DONE !"; ?> Thanks to all

Ok I managed to find a solution. With a slight modification. Here it is:- $btypes = array('issi'); $bvalues = array($room_no,$bmm,$bnn,$bll); $params = array_merge($btypes, $bvalues); $refs = array(); foreach($params as $key => $value) $refs[$key] = &$params[$key]; ... call_user_func_array(array($stmt, 'bind_param'), $refs); There are actually 3 best answers to this Guru Barand's initially, then Guru Kicken's and finally MacGyvers which pointed me to call_user_func_array() for dynamically binding the variables. Thanks all !

Hi, all, Back again. I now tried as follows: $pp = "(ms.level = ? || ms.level = ?)"; $qq = 'ms.diff <= ?'; $mm = 'Beginner'; $nn = 'Intermediate'; $ll = 7; $room_no = 4; // $bmm = &$mm; // $bnn = &$nn; // $bll = &$ll; // $broom_no = &$room_no; // $bvalues = array($broom_no,$bmm,$bnn,$bll); $btypes = "issi"; $types = &$btypes; $bvalues = array($room_no,$mm,$nn,$ll); $values = &$values; $params = array($types,$values); $query = "SELECT md.Member_reg_id, md.fname, md.lname, md.email, md.cell, ms.level, ms.diff, ms.score, r.ID_Status FROM register as r JOIN member_detail as md ON r.ID = md.Member_reg_id JOIN memstatus as ms On r.ID = ms.ID WHERE r.room_no = ? AND r.ID_Status ='A' AND $pp AND $qq ORDER by level, diff, score DESC"; $stmt=$fcon->prepare($query); call_user_func_array(array($stmt, 'bind_param'), $params); and this gives me the following warning: I have tried the same with a changes as well but I am not able to get thru this. I have 4 bound parameters in the query and I have passed 4 values thru the array so I don;t know why I am getting this error. Please can someone show me how to devise the params array correctly or what might be the error here. Thanks all !

Thanks Sir, I have just shifted over to mysqli prepared queries so it will be a while before I make the transition to PDO. I have already converted more than 60% of the code to use mysqli prepared statements. I will however keep that in mind as I have been advised by some other gurus too besides yourself. I will now look up and try out the functions that you have just suggested above. Will revert. Thanks very much!

Hi All, Thanks for all the inputs. I have been trying to use them all to find a fit all solution. I think, after a few trials, that the solution posted by Guru Kicken would work great if there is a way for the query to extract the values to be bound from an array. i.e. Can the bound variables in the statement $stmt->bind_param('iss',$room_no,$pp,$ll); be somehow replaced by an array of values like this $stmt->bind_param('iss',$param[]); This was suggested by Guru Kicken. So I request Guru Kicken or anyone to suggest a simple way to "bind whatever is in the params" to the query using an array. However the length of the array would be varying depending upon the conditons involved. That should solve this quite elegantly. Thanks all !

Hi Mac_gyver, Well the values come from two drop down menus where the user selects these values. The Level dropdown has three values as of now:- 1. All 2 Beginner 3. Intermediate. and will have one more value Expert eventually. 2. Diff is another drop down and has values from 1. All and Numbers from 1 to 10. ( Hence 11 values in the dropdown) The user select these from these menus and the output displays the records accordingly. By default both Level and Diff have a default value of All. i.e. Level = Beginner OR Level =Intermediate and Diff <= 10 I hope this helps. If any one has a better idea on implementing such queries in a more elegant manner then please share it with me. Thanks loads everyone.

Hi Kicken. Thanks for the clarification. However, after some testing, I do feel that if there are a number of conditions that the query must handle it would result in a rather awkward solution. Is there by any chance a better way to handle such queries? Thanks again !

Hi Guru Barand, Thanks loads for that. The problem is that $pp and $ll in the original query were handling the Query to deal with different conditions where the strings created different conditionals. for example : $pp = "(ms.level = 'Beginner' || ms.level = 'Intermediate')"; $pp = "ms.level = '$dd_level'"; // where dd_level can be one of the three values 'Beginner', 'Intermediate' or 'Expert' Similarly the value of Diff can be <7 or it can be any one of the values from 1 to 7. so $ll = "ms.Diff <= 7"; or $ll = "ms.Diff = 3"; Thus the same query was able to handle so many situations. How can I achieve something like that here using prepared statements. Thanks very much.

Hi all !, I am stuck on the following piece of code which does not give an error nor does it give a result. ( i.e. it gives 0 num_rows which should be > 1). If, however, I execute the query in phpmyadmin by simply substituting the values of $pp,$ll and $room_no in the query it gives the correct result. Please can someone tell me what I may be doing wrong here. Thanks ! $fcon = mysqli_connect($db_host,$db_user,$db_pass,$db_database) or die('Unable to establish a DB connection'); $pp = "(ms.level = 'Beginner' || ms.level = 'Intermediate')"; $ll = 'ms.diff <= 7'; $room_no = 4; $query = "SELECT md.Member_reg_id, md.fname, md.lname, md.email, md.cell, ms.level, ms.diff, ms.score, r.ID_Status FROM register as r JOIN member_detail as md ON r.ID = md.Member_reg_id JOIN memstatus as ms On r.ID = ms.ID WHERE r.CENTERCODE = ? AND r.ID_Status ='A' AND ? AND ? ORDER by level, diff, score DESC"; $stmt=$fcon->prepare($query); $stmt->bind_param('iss',$room_no,$pp,$ll); if(!$stmt->execute()) die('Failed to execute the query'.$fcon->error); else { echo "Executed"; $stmt->bind_result($Member_reg_id,$fname,$lname,$email,$cell,$level,$diff ,$score,$ID_Status); $numrows = $stmt->num_rows; $stmt->store_result(); // echo $numrows; while($stmt->fetch()) { echo "<br>".$fname.' '.$lname; echo "<br>".$level; echo "<br>".$diff; echo "<br>".$score; echo "<br>".$cell; echo "<br>".$email; } }

Thanks again !! Just wanting to clear all doubts.

Hi Jacques, Thanks for that once again. Such an oversight on my part. I thought it was store_result() instead of bind_result and fetch() that was to be executed outside the function. It has worked. Thanks for the advise on switching to PDO. I will keep that in mind but will reserve that for later. I have since your advice on filtered variables changed all files to mysqli prepared statements. I don't have the heart or the time right now to change it all once again. But I will keep it in mind. My functions is correct with the values being passed like you mentioned. Thanks very much ! Much obliged.

Hi Jacques, Thanks once again for this reply. I have just tried out the second method you described above. To use the raw stmt returned by the function. I still get nothing but a null array. Maybe I am misunderstanding what you mean by raw statement. here is what i did function display_all{ $query = "SELECT one, two, three four, index1 FROM numbers WHERE index1 = ? LIMIT 0, 10"; $stmt = $conn->prepare($query); $stmt->bind_param('i',$var) if($stmt->execute()) { $stmt->bind_result($one, $two, $three, $four, $index1); } return($stmt); } bound the result and returned $stmt. And in the main $stmt->store_result(); $stmt->fetch(); but i still get null values. Kindly guide. Thanks

Hi Thanks Jacques, All the information provided by you has been very valuable. There are so many answers that can be marked as best but I would like to mark the one just above this as the best since it answers most of the original question about validation of constraints. However I would just like to ask once again and in the context of the examples above, that would it not be OK as to use the the inbuilt php validation function for checking the 'age' ? Thanks !

Hi all ! I have a piece of code here: $result = display_all(fcon, $var1, $var2); function display_all( // defined in another file $query = "SELECT one, two, three four, index1, index2 FROM numbers WHERE index1 = $var1 LIMIT 0, 1"; $result = mysqli_query($fcon, $query); return ($result); ) and then I use the returned variable $result to display the value as follows:- while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) { echo "<tr>"; echo "<td>".$one."</td>"; echo "<td>".$two."</td>"; echo "<td>".$three. "</td>"; echo "<td>".$four. "</td>"; echo "<td>".$index1. "</td>"; echo "</tr>"; } and this displays the n rows of data returned. Now I have started using prepared statements and the function is now function display_all{ $query = "SELECT one, two, three four, index1 FROM numbers WHERE index1 = ? LIMIT 0, 10"; $stmt = $conn->prepare($query); $stmt->bind_param('i',$var) if($stmt->execute()) { $stmt->bind_result($one, $two, $three, $four, $index1); $stmt->store_result(); } return($stmt); } However the returned $stmt object is unable to display the n rows of data since it shows null values. I assume that this is not the right way to use the $stmt object to display data. I must be missing something. So I request you guys to help me with this. Thanks loads.

Hi Thanks all, Sorry I have returned here after some time. Thank you Jacques for all that information and the example of injection via email.I am changing the code to now use mysqli prepared statements. I still would like to implement the constraint validation though and on the server side. Since I always learn faster via an example I would once again request for a server side validation example for a variable that may have integer value from 1 to 100 and a string with a max length of 30 characters. ( to validate for 30 english characters and not 1000 chinese characters). Say for example a form that sends the name ( max 30 chareacters in length) and age (max 100 years). Thanks very much !

Hi Jacques and all, Thanks again for the reply and I have been reading and trying to understand what you are saying here. Actually I just want to validate data (not sanatize it) and mostly use filter_input validation functions but there is none for strings and so I had to use the SANATIZE in my example. Besides like I said earlier I was just looking to check / validate the the string length was within limits. One I would like to ask how is it possible to use a perfectly legal email ID to carry out any attack, SQL Injection or any other kinds? What I gather is that if we do not use any kinds of filters we are good if we use Prepared Statements for mysql queries. And we must escape all HTML output ( Strings ) with htmlspecialchars, htmlentities, etc other such functions. If we are doing this then there is no need to filter the input. Is that correct? Sorry if I sound so confused, but then security is an extremely confusing topic. And there is everybody - well almost - cautioning to use filters. Thanks for the answers. Look forward to some more.

Hi all ! Oh wow ! SO many replies. Hi Jacques. Thanks again for cautioning me to not use filter_input. I am dying to drop it but kindly suggest an alternative. Yes the charset is UTF-8. The goal is to have a safe user input in a form which has the following fields: 1. Userlogin which I wish to limit to 40 characters ( as also the length of VARCHAR in the database). That was the reason for wanting to use the string length. 2. Password. 3. Names 4. Address Fields. 5 Gender. 6. Phones 7. Cell Phones. 8. City, State and Country. 11. email As you can see all of these are required to be alphanumeric strings and some of them require characters like '.', '-', '+','_', and maybe some more. I would like to limit the length of most of these strings. For example I would like the phone string not to exceed say 13 characters. I am also using the inbuilt filters for INTEGERS, EMAILS and a REGEX for the gender field. So if FILTER_SANITIZE_STRING is wrong and I am sure it is if you say so & as also explained by you, I'ld like to ask you how should we filter these then to ensure that they are safe or at least have lengths within the ranges that we want them to be? And yes I am changing all mysql statements to mysqli prepared statements. Thanks again all for the replies and looking forward to some more.

Hi all, The output of the following line of code where user is Jack1234 $user = filter_input(INPUT_POST, 'user', FILTER_SANITIZE_STRING); using var_dump is string 'Jack1234' (length= I would like to know if there is someway we can use/retrieve the length value of the string that is displayed in the output or verify the string length against it. Thanks.

Yes Sir ! Thanks Loads.

Hi Guru Barand, Does that mean that we can simply use a higher value in the max_range in options array of the filter_var and it would do the trick ? Thanks again !

Thanks Guru Barand, That answers it all ! Have already changed the query to this form. Will include the active in the query too. Thanks for outlining the benefits of this structure.

Hi, Is there any way to use the inbuilt filter functions in PHP to filter for integer values greater than 256? All examples that I saw had a max_range of 256. Kindly suggest. Thanks.