gammaman Posted April 20, 2008 Share Posted April 20, 2008 I want to do something like this but I have an error message saying unexpected T_VARIABLE on line 27 I am trying to use the $_SESSIONS that are being carried over in a query. <?php $conn=mysql_connect("localhost","fierm","13183"); if(!$conn){ echo "failed"; }else{ mysql_select_db(fierm); session_start(); $_SESSION['student']['user']; $_SESSION['student']['pass']; $CourseID=$_POST['ci']; $CourseName=$_POST['cn']; $course=mysql_query("select CourseID,CourseName,StudentID,Password FROM Rcourse WHERE CourseID ='$CourseID' AND CourseName='$CourseName' AND StudentID = "$_SESSION['student']['user']" AND Password = "$_SESSION['student']['pass']""); $count=mysql_num_rows($course); if ($count > 0 ){ echo "Already took or currently taking this course"; } // else{ // mysql_query("Insert into Rcourse (CourseID,CourseName,StudentID,Password) // Values ($CourseID,$CourseName,$USer,$Pass)"); // //} } ?> Quote Link to comment Share on other sites More sharing options...
monkeypaw201 Posted April 20, 2008 Share Posted April 20, 2008 what is line 27? Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 20, 2008 Share Posted April 20, 2008 Enclose the session variable in curly braces inside the query. =) {$_SESSION['whatever']} It'll work then. Quote Link to comment Share on other sites More sharing options...
Fadion Posted April 21, 2008 Share Posted April 21, 2008 Just use concatenation, dont complicate the string so much that u wont read it in the future: <?php mysql_query("SELECT * FROM table WHERE smth='" . $_SESSION['smth'] . "'"); ?> Note that $_SESSION['smth'] is inclosed also in single quotes. Quote Link to comment Share on other sites More sharing options...
redarrow Posted April 21, 2008 Share Posted April 21, 2008 EDITED sorry.......... Remember session's might cause the select statement to go wrong be carefull........ also sessions in a database query asks for trouble........... <?php session_start(); // set a session with an id. $_SESSION['id']=301; // set varable id as a session. $id=$_SESSION['id']; // post id $id=$_POST['id']; // select the session via the varable $id mysql_query("SELECT * FROM table WHERE id='$id'"); ?> Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 21, 2008 Share Posted April 21, 2008 $course=mysql_query("select CourseID,CourseName,StudentID,Password FROM Rcourse WHERE CourseID ='$CourseID' AND CourseName='$CourseName' AND StudentID = '{$_SESSION['student']['user']}' AND Password = '{$_SESSION['student']['pass']}'"); That's it. That query will work. Quote Link to comment Share on other sites More sharing options...
dptr1988 Posted April 21, 2008 Share Posted April 21, 2008 How could $_SESSION data in a SQL query cause trouble? I'm not wanting to argue, I honestly don't understand why. Quote Link to comment Share on other sites More sharing options...
ohdang888 Posted April 21, 2008 Share Posted April 21, 2008 if they session is hacked or something, they could delete tables from your system... you need to you mysql_real_escape_string on them before putting them into the query Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 21, 2008 Share Posted April 21, 2008 How could $_SESSION data in a SQL query cause trouble? I'm not wanting to argue, I honestly don't understand why. I know, right? If you're assigning it to a variable and then putting it in the query, that's essentially the same as using it directly, so I don't understand why you'd do it like that. You can just enclose it in {} and be done. Quote Link to comment Share on other sites More sharing options...
dptr1988 Posted April 21, 2008 Share Posted April 21, 2008 How could sessions be hacked? the only way to hack a session is to use a different session id, which would still give you session data that was already approved by the server, although it may have been meant for a different user. redarrow may have been confusing session with cookies where the data is stored on the user's computer and is subject to tampering. Quote Link to comment Share on other sites More sharing options...
redarrow Posted April 21, 2008 Share Posted April 21, 2008 session's can be used via anyone via a form or even by the url all the peopl have to do is continue to guess your session name and start to use it, but in sayong that a session that has been valadated correctly is good and good code pratice... but sessions in database querys are bad code pratice trust me............ imagine a people got your session and found a page where your deleting info to update the system hay presto you got no database info now... setting a session to a varable is much safer then just using the session RAW in a query............ Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 21, 2008 Share Posted April 21, 2008 session's can be used via anyone via a form or even by the url all the pp; have to do is continue to guess your session name and start to use it, but in sayong that a session that has been valadated correctly is good and good code pratice... but sessions in database querys are bad code pratice trust me............ imagine a ppl got your session and found a page where your deleting info to update the system hay presto you got no database info now... You've obviously never used sessions before, or that much, anyway. Even if they took another session from another user, what'd they do? Ruin that user's account? They can't change the username or password of the session to 'DROP TABLE xxxx'. That query that he has right now is perfectly safe. Quote Link to comment Share on other sites More sharing options...
redarrow Posted April 21, 2008 Share Posted April 21, 2008 your talking no sence mate... it would delete that users account but by useing the session name you can do a lot more then that, espacally when the session is directly in a query.... also now we no you got session in your query's your defently get hacked...... Quote Link to comment Share on other sites More sharing options...
dptr1988 Posted April 21, 2008 Share Posted April 21, 2008 it would only delete the user account if you had previously configured the sessio data to be able to delete the account. And still that data couldn't be used in this instance. I.E. You probably won't be managing you tables with the same session variable that you use to store the login query. Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 21, 2008 Share Posted April 21, 2008 your talking no sence mate... it would delete that users account but by useing the session name you can do a lot more then that, espacally when the session is directly in a query.... also now we no you got session in your query's your defently get hacked...... Really? Explain to me how you could change $_SESSION['student']['user'] to a malicious query just by knowing the session ID. Enlighten me. For the record, I'm sure about what I'm saying, I don't really need enlightenment. Quote Link to comment Share on other sites More sharing options...
redarrow Posted April 21, 2008 Share Posted April 21, 2008 tell me what one easy to guess then the other............... <?php session_start(); $_SESSION['student']['user']="redarrow"; echo " Changed session to: ".$_SESSION['student']['user']." <br><br>"; $suser=$_SESSION['student']['user']="paul"; echo " Set varable Changed session to: $suser <br><br>"; ?> Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 21, 2008 Share Posted April 21, 2008 tell me what one easy to guess then the other............... <?php session_start(); $_SESSION['student']['user']="redarrow"; echo " Changed session to: ".$_SESSION['student']['user']." <br><br>"; $suser=$_SESSION['student']['user']="paul"; echo " Set varable Changed session to: $suser <br><br>"; ?> Excuse me, but how do you presume that a user who obtained someone else's session ID would be able to edit the script like that and change the variables? =/ Honestly, think it through before you try and show me that I'm wrong. Quote Link to comment Share on other sites More sharing options...
Fadion Posted April 21, 2008 Share Posted April 21, 2008 redarrow has 8x my posts number, so i have to respect him. But really i cant think of a way to spoof a session stored server side, even if i have the sid. If there is such an option, scripts would be a lot less secure. Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 21, 2008 Share Posted April 21, 2008 redarrow has 8x my posts number, so i have to respect him. But really i cant think of a way to spoof a session stored server side, even if i have the sid. If there is such an option, scripts would be a lot less secure. I respect his post count, but he seems like he had no idea what he was talking about just a minute ago. I have so little posts because I just joined PHPFreaks, but I've been coding PHP for years. Quote Link to comment Share on other sites More sharing options...
dptr1988 Posted April 21, 2008 Share Posted April 21, 2008 Post count does not always reflect you PHP knowledge. Up untill 3 days ago, I had been programming for 6 years and only had around 30 posts. Quote Link to comment Share on other sites More sharing options...
redarrow Posted April 21, 2008 Share Posted April 21, 2008 All i am saying is a session in a query not set to a varable is not secure mate.. The reason i say that is, programmers use there sessions in a meanfull way then they hide the session info with a set varable nothink indercating the session name making the varable unique ......... yes some programmers make there session unique but most dont... be carefull that all............. good luck............ Quote Link to comment Share on other sites More sharing options...
Fadion Posted April 21, 2008 Share Posted April 21, 2008 Post count does not always reflect you PHP knowledge. Up untill 3 days ago, I had been programming for 6 years and only had around 30 posts. [OFFTOPIC] What i said is that i respect the thoughts of someone with so much posts. Having 5000+ posts means that he has been for some time here and here u can learn a lot in 1 day, imagine a year or 2. But that absolutely doesnt mean i dont respect the thoughts of someone with 2 posts. Quote Link to comment Share on other sites More sharing options...
DarkWater Posted April 21, 2008 Share Posted April 21, 2008 All i am saying is a session in a query not set to a varable is not secure mate.. The reason i say that is, programmers use there sessions in a meanfull way then they hide the session info with a set varable nothink indercating the session name making the varable unique ......... yes some programmers make there session unique but most dont... be carefull that all............. good luck............ But this is the exact same as just using the session variable... $suser=$_SESSION['student']['user']; ... Quote Link to comment Share on other sites More sharing options...
redarrow Posted April 21, 2008 Share Posted April 21, 2008 All read this please cheers make lots off scence.. http://en.wikipedia.org/wiki/Session_poisoning edited this aswell http://en.wikipedia.org/wiki/Session_fixation#A_simple_attack_scenario To anyone dosent matter if you been programming for years there always somethink to learn in php. Also the number off post via the forum web site dosent claim the power off a users programming skills... Remember there wannabe programmers copy and past that earn thousands a day programming (fact not fiction)... idears are the solution and using the php lanuage to it full pertental Quote Link to comment Share on other sites More sharing options...
Fadion Posted April 21, 2008 Share Posted April 21, 2008 Only the shared host scenario could be a real session spoof, the others are by using get and request (who uses request anyway?). GET variables are dangeuros by themselves, so it still is generally not related to sessions. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.