BillyT

Hi there I posted this on another thread but thought it deserved its own. I have a php script that multiple users access that has something like session_start(); include('../common.php'); echo $someVar; in common.php it accesses the session vars and and sets values for other vars eg $num=$_SESSION['num']; $someVar = $num+5; Is it possible for 2 users to hit the script in quick succession and for the server to return cached values to the second user, and thereby pass this second user the values from the first users session? So for example, let's say in user 1, $_SESSION['num']=5; and in user 2, $_SESSION['num']=25; user 1 loads page and it displays 10. user 2 then loads page and it should display 30 but is it possible for the server to say "i've cached common.php and I already know $someVar = 10 so I'll return that to user 2". I'm guessing this can't happen but just want to make sure. Thanks in advance

Here is another scenario that I would like feedback on I have a php script that multiple users access that has session_start(); include('../common.php'); in common.php it accesses the session vars and and returns values for other vars eg $domain=$_SESSION['domain']; Is it possible for 2 users to hit the script in quick succession and for the server to return cached values to the second user, and thereby pass this second user the values from the first users session? Thanks in advance

no I can't recreate it and have never had another user mention it. 1. Possibly due to server maintenance? 2. I run this function on all posted data like logins function make_safe($variable) { $variable = addslashes(trim($variable)); return $variable; } Are there more robust methods of preventing injection? 3. Possibly. But I doubt this user would have even heard of the other user whose site he claims loaded when he clicked his launch site button, so it definitely sounded like a glitch in my script or the way my server stores and handles sessions. Thanks again

thanks but that is definitely not the problem. Code has been fine for a couple of years but getting more users now and this glitch was reported - not sure if it is a problem with my logic or just a strange server quirk that will probably never happen again. Thanks again

Thanks for the reply. Here is a stripped back version of my login script - can you see any problems? $checkUserName=$_POST['username']; $checkPass=$_POST['pass']; // Attempt to authorise user with database $authorise = auth($checkUserName, $checkPass); // If authorisation failed... if ($authorise['userID'] == -1) { $errors[]="Invalid username and/or password"; }else{ $userID=$authorise['userID']; $_SESSION['loggedIn']="yes"; $_SESSION['domain']=$authorise['domain']; echo("<script>location.href='../app.php';</script>"); } and the auth looks something like function auth($username, $password) { $table='users'; $query = "SELECT * FROM $table WHERE username = '$username' AND password = '$password'"; $result = mysql_query($query); $return=array(); // If we found a match... if (mysql_num_rows($result) == 1) { // Extract user ID from the results $user = mysql_fetch_array($result); $userID = $user['userID']; $domain = $user['domain']; $return['userID']=$userID; $return['domain']=$domain; } else { // Otherwise set userID to -1 $userID = -1; $return['userID']=$userID; } return $return; } There is code in the registration process that stops duplicate usernames. So the domain that is stored in the session is then used for a 'launch site' button - can you see any way that one users domain could have been passed to another user? Just noticed another reply to this topic which I will check now Thanks again

Hi there I have a web application that allows multiple people to log into a central CMS and then edit their own websites. When they log in it finds a match in the users table and then returns their domain which it stores in a session. All uploaded files etc then go into their domain directory. Now this seemed to be fine but I had a situation recently when a user claimed they had logged in but the changes they were making weren't working and when they launched their site from within the CMS, another users domain was launched. Is it possible for session data to get mixed up at all when multiple users are logged in at the same time? And how secure is the data stored in a session? Thanks in advance

thanks for the replies. Haku I have manually checked some links and found a couple of people using URL forwarding to make mydomain.com/mypage.php look like theirdomain.com My question is, can I put some javascript or php on mypage.php to see whether or not the domain in the url is equal to mydomain.com? As I mentioned in my first post, everything I have tried still returns mydomain.com even though in the browser it says theirdomain.com. Thanks again

still looking for a way to know if a page has been loaded via URL forwarding - any ideas? Thanks in advance

no I need to know if the page was loaded via URL forwarding as opposed to someone clicking a regular link

thanks for the reply. I'm not sure if this would be adequate though, as there will be many times that users will follow a link to mydomain.com/mypage.php so the referrer would be set to another domain there as well. Is that correct? thanks again

Hi there let's say I have a page called www.mydomain.com/mypage.php In mypage.php, how can I check if the page is being loaded via the url forwarding that most domain registrars provide? ie if someone has registered www.theirdomain.com and pointed it at my page above, how can I tell? All the php and javascript code I have tried just return mydomain.com I hope that makes sense Thanks in advance

You are a legend Thanks mate - much appreciated

Hi all using a script that I got from the seo with php book http://www.seoegghead.com/blog/professional-seo-with-php-book It attempts to populate a database with the data provided by the friendly people at iplists.com However, it is failing due to a curl issue and I am unsure what the problem is. curl is enabled on the server (mediatemple gridserver) basic code $ch = curl_init(); curl_setopt ($ch, CURLOPT_URL, 'http://www.iplists.com/nw/google.txt'); curl_setopt ($ch, CURLOPT_HEADER, 1); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt ($ch, CURLOPT_TIMEOUT, 60); $result = curl_exec($ch); echo $result; which outputs HTTP/1.1 403 Forbidden Date: Tue, 21 Oct 2008 04:05:44 GMT Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Content-Length: 517 Connection: close Content-Type: text/html; charset=iso-8859-1 Forbidden You don't have permission to access /nw/google.txt on this server. Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request. Is it an issue with my code, server, the way connections are handled by the external server, or something else? Thanks in advance