NotionCommotion

Thanks Kicken, I had just stumbled upon this and am starting to experiment.

I expected the following script to display a single cookie on the main page (cookie_2, and both the main page cookie and the subdomain cookie (cookie_3) within the iframe. In actuality, the main page was as expected, but the iframe only displays cookie_3. Can anyone explain what I am witnessing, and why the subdomain wouldn't be able to access the cookie set in the parent? <?php setcookie("cookie_".count(explode('.', $_SERVER['HTTP_HOST'])), 'Hello from '.$_SERVER['HTTP_HOST']); echo('<pre>'.print_r($_COOKIE,1).'</pre>'); ?> <iframe src="http://test.mysite.com/testing/cookietest.php"></iframe>

I could get the desired functionality without using session_name() at all. It just seems too simple, and I think I am missing something. <?php // script 2. Will be accessed as http://two.one.example.com $t=time(); //Access the primary session for script 2 session_name('SESSION2'); session_start(); $_SESSION['s2_'.(2*$t)]=2*$t; echo("SESSION2<pre>".print_r($_SESSION,1)."</pre>"); //Use session created by script 1 session_write_close(); //$NAME_session2 = session_name('SESSION1'); if(isset($_COOKIE['SESSION1'])) { $ID_session2 = session_id($_COOKIE['SESSION1']); } else { $ID_session2 = session_id(); session_regenerate_id(); } session_start(); echo("SESSION1<pre>".print_r($_SESSION,1)."</pre>"); //Go back to primary session session_write_close(); $ID_session1 = session_id($ID_session2); //$NAME_session1 = session_name($NAME_session2); session_start(); echo("SESSION2<pre>".print_r($_SESSION,1)."</pre>"); echo("ID_session2: $ID_session2<br>"); //echo("NAME_session2: $NAME_session2<br>"); echo("ID_session: $ID_session1<br>"); //echo("NAME_session1: $NAME_session1<br>"); ?>

I believe the reply to the previous thread was that I should not attempt to pass session IDs over the URL. As far as why, I have one subdomain administrator.subsite.example.com, and a second subdomain preview.administrator.subsite.example.com. The second subdomain will confirm that the user has previously logged on to the first subdomain. Putting aside whether it should be implemented or not, am stumped on why I am see this behavior. Any ideas?

I have two scripts: script1.php and script2.php. Script1 creates if it doesn't already exist and adds to a session named "SESSION1" and displays it: Script2 similarly adds to a session named "SESSION2", but then needs to display the session used by the first script (i.e. SESSION1), and then goes back to its original session (SESSION2). Script1 works perfect. But when Script2 is executed, it changes the session ID in the SESSION1 cookie to the same value as used in its SESSION2 cookie. If Script1 is later executed, it obviously lost its previous session values as it is now using a new session ID. If I comment out the two session_name() lines, it will not overwrite the other session, however, this doesn't provide the functionality I need. What is causing this and how do I prevent it???? script1.php <?php // script 1. Will be accessed as http://one.example.com $t=time(); //Access the primary session for script 1 session_name('SESSION1'); session_start(); $_SESSION['s1_'.$t]=$t; echo("SESSION1<pre>".print_r($_SESSION,1)."</pre>"); ?> script2.php <?php // script 2. Will be accessed as http://two.one.example.com $t=time(); //Access the primary session for script 2 $default_name=session_name('SESSION2'); session_start(); $_SESSION['s2_'.(2*$t)]=2*$t; echo("SESSION2<pre>".print_r($_SESSION,1)."</pre>"); //Use session created by script 1 $old_id_script2 = session_id(); session_write_close(); $old_name_script2 = session_name('SESSION1'); session_start(); echo("SESSION1<pre>".print_r($_SESSION,1)."</pre>"); //Go back to primary session session_write_close(); $old_id_script1 = session_id($old_id_script2); $old_name_script1 = session_name($old_name_script2); session_start(); echo("SESSION2<pre>".print_r($_SESSION,1)."</pre>"); echo("default_name: $default_name<br>"); echo("old_id_script2: $old_id_script2<br>"); echo("old_name_script2: $old_name_script2<br>"); echo("old_id_script1: $old_id_script1<br>"); echo("old_name_script1: $old_name_script1<br>"); ?>

Wow, you're not kidding! Thank you. Do this before every rewrite rule? I either misunderstand, or I don't think so. It is only required once. Thanks, I did not know that. So, I could use <script src="//someOneElesesSite.com/script.js"></script>, it it will use the same protocol as which the browser is viewing it? Nice! Why, however, wouldn't one just use <script src="/script.js"></script> if it was the currently viewed site? Never used before. I will check it out. You know I've never used filter_var(). Thanks! Looks like it will greatly simplify my scripts. While your post was very helpful, I think it missing the actual main topic of my question. Let's say I enter https://example.com/page1/controller1 into the browser, but directories /page1 is not a directory in the root directory (/var/www/html), but instead, the request is rewritten to https://example.com/index.php?page=page1&controller=controller1 where index.php is located in the root directory. If within index.php, I include the following tag, <img alt="#" src="someImage.png">, will it expect the image to be located in /var/www/html or /var/www/html/page1/controller1? What is the proper way to add extra GET variables URI https://example.com/page1/controller1 where page1 and controller1 will be rewritten by mod_rewrite as GET variables to index.php?

I would like to better understand relative and absolute paths when rewriting URLs. My virtual host configuration is shown below. I wish the server to see something like: https://example.com?page=page1&controller=controller1&data1=123&data2=321 Given the rewrites as shown in my virtual host, what would be the proper URL in the browser? One of these (note the ? and &), or something different? https://example.com/page1/controller1?data1=123&data2=321 https://example.com/page1/controller1&data1=123&data2=321 Next, if I enter one of the URLs, how do relative paths to images, etc work? Would the browser think it is in the root directory, or in /page1/controller1? I had problems with relative paths, and changed to absolute paths, and it fixed the problem, but I wish to better understand what is happening. On a side note, I would appreciate any critique of my virtual host configuration. My goal is for all requests to example.com to redirect to https://example.com, for only https://example.com (no subdomain) to redirect to https://www.example.com, and do the rewriting of page and controller. Thank you # Note that if a virtual ServerName is not found (i.e. IP 192.168.1.200), Apache defaults to first virtual host. # Note that if ServerName is set to one of the virtual host ServerName's in the Second Section, it doesn't work (why?) # Handle just example.com to http <VirtualHost *:80> ServerName example.com ServerAlias *.example.com Redirect / https://www.example.com/ </VirtualHost> # Handle just example.com without subdomains <VirtualHost *:443> ServerName example.com # ServerAlias example.com SSLEngine on SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem SSLCertificateFile /etc/pki/tls/certs/example_startssl.crt SSLCertificateChainFile /etc/pki/tls/certs/sub.class1.server.ca.pem Redirect / https://www.example.com/ </VirtualHost> <VirtualHost *:443> ServerName example.com ServerAlias *.example.com DocumentRoot /var/www/example/html SSLEngine on SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem SSLCertificateFile /etc/pki/tls/certs/example_startssl.crt SSLCertificateChainFile /etc/pki/tls/certs/sub.class1.server.ca.pem <Directory "/var/www/example/html"> allow from all Options +Indexes <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / # Are these lines necessary, or should I create a virtual host for http on port 80 instead? RewriteCond %{HTTPS} !=on RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L] ## If the request is for a valid directory, file, or link, don't do anything RewriteCond %{REQUEST_FILENAME} -d [OR] RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -l RewriteRule ^ - [L] #remove the trailing slash RewriteRule (.+)/$ $1 # If you add this first rule to support views, be sure to remove the QSA flag from the second rule (maybe not required since the first rule has the L flag) #replace mypage/mycontroller with index.php?page=mypage&controller=mycontroller RewriteRule ^([^/]+)/([^/]+)/?$ index.php?page=$1&controller=$2 [L,QSA] #replace mypage with index.php?page=mypage RewriteRule ^([^/]+)/?$ index.php?page=$1 [L,QSA] </IfModule> </Directory> </VirtualHost>

You better work on that

Definitely an option and maybe your best, but if so, you might need to give someone access to your server which is never great. Before doing so, you might wish to try some quick checks. Do what ginerjm recommended, and then echo the query before PHP tries to execute it and post the query. Or better yet, if you have access to your database, directly insert the query and see your response.

Your first part of PHP checks if it was a POST request, and if so inserts some data in your DB. I recommend changing the following: Define $zr. Do some validation to confirm your POST data is correct. Put exit() after your header. You then have your second PHP section which again checks if the POST data is set. You will never see this as the previous header is redirecting (however, the script will continue since you did not exit). If you really want both in one query, add different names to your submit buttons and check which one is set. Also, when setting $us equal to $_SESSION['user'], you should first check if it is set. Thanks, you also taught me two things: 1) that I could put multiple arguments in isset(), and 2) that if the submit button doesn't have a value, it defaults to "Submit Query"

I agree about the benefits of the unique constraint. However, it would be nice to warn the user that the username is taken before the submit. I typically do a validation SELECT (on the username but not the password) beforehand, and f the user if on the rare occasion the insert doesn't go.

Not saying I disagree or not, just that there seems to be no perfect solution. Even if I do it the way I believe you feel it should be done, I have potential URLs like secure.payment.sites.mysite.com which can definitely be phishing abused.

Well, I'm kinda nice. For hashing, I used to use http://www.openwall.com/phpass/, however, now think http://php.net/manual/en/function.password-hash.php is preferred. In regards to Jacques comments about injection, addressing is VERY important. Your current approach can allow someone to easily delete your entire database, or worse. For an easy fix, look into PDO and prepared statements.

Ha ha, I saw the original post, and new you couldn't resist!

I start off by always checking my $_GET/$_POST/etc array, and making sure the data I expect is there. Next, check the query, and make sure it works directly with your database. I either echo to the browser, or use syslog().

Tom, There are about a million and maybe more ways to do this. What do you want regarding the user experience? A link next to each user? A select menu to select the user? An autocomplete to select the user? A checkbox next to each user? Or something else? Once you decide on this, there are many ways to implement, however, fortunately less than a million.

Don't know if I know what is best, but I could tell you how I do it. Single quotes when not much to insert or if the inserting stuff is constants or static properties. Double quotes and always put curly brackets around it even when not necessary. For the official answer, see http://php.net/manual/en/language.types.string.php.

PS. This was not directed to Jacques1, but to the endless journey to provide secure systems.

Ugg, when does it end? Assuming Michael is a good guy and he selects "admin" as his admin domain, and the "safe" subdomain is "sites" which the user cannot effect, his sites could be: michael.public.mysite.com michael.admin.mysite.com public.michael.mysite.com admin.michael.mysite.com michael.public.sites.mysite.com michael.admin.sites.mysite.com public.michael.sites.mysite.com admin.michael.sites.mysite.com But, if a bad guy comes along, they could be: payment.public.mysite.com payment.secure.mysite.com public.payment.mysite.com secure.payment.mysite.com payment.public.sites.mysite.com payment.secure.sites.mysite.com public.payment.sites.mysite.com secure.payment.sites.mysite.com Yes, I see a little benefit by putting the "sites" subdomain in. Which is best assuming we are including the "sites" subdomain? If we go without the "sites" subdomain, is the answer basically the same? Would I be best using mysite.com for signup and payment, and mysite.net for all the user's sites?

Your welcome! It is easy to make a silly mistake with relative paths. require() or require_once() (which you want for your situation) at least make the mistake obvious.

Check whether they are logged on (i.e. is a session set, etc). If not, header("Location: goAway.php"); exit; http://php.net/manual/en/function.header.php

I always store my queries as a string like Barand recommends. I also typically use PDO's prepared statements, and use the following class to view the queries when troubleshooting public static function showQuery($sql, $data) { $keys = array(); $values = array(); # build a regular expression for each parameter foreach ($data as $key=>$value) { if (is_string($key)) {$keys[] = '/:'.$key.'/';} else {$keys[] = '/[?]/';} //if(is_numeric($value)) {$values[] = intval($value);} if(is_numeric($value)) {$values[] = $value;} else{$values[] = '"'.$value .'"';} } $sql = preg_replace($keys, $values, $sql, 1, $count); return $sql; }

What are the values of $memberid and $q? If they are undefined or not what you expected, there is your problem. If they look applicable, then substitute them in your query and direct input the query into your DB, and see if you get any results. If none, systematically remove some of the WHERE clauses until you find out which one is limiting.

I like option 1

Thank you for your reply maxxd, My original plan for a singleton object was to invoke it in the parent script and not pass it to any classes that need it since it was global in nature, and I could access a property in it as mySuperSingleton::mySuperSinglton()->someProperty. Effectively, I would be doing the same thing as using a global variable which I now understand is not desirable. My contention regarding constants is that they could be abused just the same as globals, and I am sure I have been guilty of doing so. For instance, what if in the entry point of my script, I queried the DB and defined 500 constants based on the returned records? Now those constants are global throughout all my script. In practice, I didn't declare 500 constants, but I have done a few. Another area I've used constants is for defining file paths to my root directory, my class directory, etc, etc. This seems more acceptable, but I don't completely understand the future repercussions. Other uses I have done are for defining constants such as my Google maps key or my recaptcha keys. Again, seems more acceptable, but again would like advice from others. So, my question is what are acceptable uses for constants, and when are their use detrimental for reasons similar to using global variables?