lanmind Posted October 11, 2008 Share Posted October 11, 2008 Hello everybody, On my page here: http://www.dockhawk.com/ I referenced this article: http://phpsec.org/projects/guide/2.html I'm using a session variable to ensure a query sent to my database actually comes from my site. Problem is is that if you type something like: http://www.dockhawk.com/currentphp.php?name=houston into a URL bar data as valid XML is being returned. I'm assigning the session value to a javascript variable and sending it to the PHP inside the javascript function "getmarks();" using AJAX. The PHP queries the db then returns a new session value in XML to ensure each session var is used only once. The session value is then reassigned to the javascript var for the next query. Here is the relevant PHP: <?php session_start(); if ($_GET['token'] !== $_SESSION['token']) { die('Invalid token'); } $_SESSION['token'] = uniqid(md5(microtime()), true); $coin = $_SESSION['token']; ... I was hoping using sessions would ensure my data could only be queried from my page. Any ideas why this doesn't work? Thank you. Quote Link to comment Share on other sites More sharing options...
budimir Posted October 12, 2008 Share Posted October 12, 2008 Try this: <?php session_start(); $_SESSION['token'] = uniqid(md5(microtime()), true); if ($_GET['token'] != $_SESSION['token']) { die('Invalid token'); } $coin = $_SESSION['token']; Quote Link to comment Share on other sites More sharing options...
iversonm Posted October 12, 2008 Share Posted October 12, 2008 your statement will always be true for the record, you need two = signs to compare something so it would be if($_GET['token'] !== $_SESSION['token']){} not sure about anything else though Quote Link to comment Share on other sites More sharing options...
budimir Posted October 12, 2008 Share Posted October 12, 2008 @iversonm: $a != $b Not equal TRUE if $a is not equal to $b. $a !== $b Not identical TRUE if $a is not equal to $b, or they are not of the same type. (introduced in PHP 4) In both cases he will get the same result in his if function, because it's the same type. Although, as looking now if $_SESSION['token'] = uniqid(md5(microtime()), true); is encoded with md5. Then if ($_GET['token'] != $_SESSION['token']) is always FALSE unless decoded. @lanmind: Where do you get $_SESSION['token'] for your if statment if ($_GET['token'] != $_SESSION['token']) ? Quote Link to comment Share on other sites More sharing options...
lanmind Posted October 13, 2008 Author Share Posted October 13, 2008 I'm sorry, a session is declared at the very top of my homepage: http://www.dockhawk.com/ but you can't see it in the source. Quote Link to comment Share on other sites More sharing options...
lanmind Posted October 14, 2008 Author Share Posted October 14, 2008 *bump* Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.