axhi Posted July 12, 2007 Share Posted July 12, 2007 People have been reporting session errors on my website after they fill out a form. The thing is, I have not used sessions anywhere on the website. The error will not allow them to redirect to the order page. Most the time if people just refresh their browsers it works but why is this happening in the first place? Can anyone help? Quote Link to comment Share on other sites More sharing options...
metrostars Posted July 12, 2007 Share Posted July 12, 2007 Some code/ website preview might be nice. Quote Link to comment Share on other sites More sharing options...
trq Posted July 12, 2007 Share Posted July 12, 2007 You'll need a much better description of the said problem. ie; The exact error would be nice. Quote Link to comment Share on other sites More sharing options...
axhi Posted July 12, 2007 Author Share Posted July 12, 2007 sorry, im foolish Warning: main(includes/cart&PHPSESSID=06c8d3283f2398a3d0bcbead52a22a12.php): failed to open stream: No such file or directory in /hsphere/local/home/tourgogg/sconnietours.com/index.php on line 78 Warning: main(includes/cart&PHPSESSID=06c8d3283f2398a3d0bcbead52a22a12.php): failed to open stream: No such file or directory in /hsphere/local/home/tourgogg/sconnietours.com/index.php on line 78 Warning: main(includes/cart&PHPSESSID=06c8d3283f2398a3d0bcbead52a22a12.php): failed to open stream: No such file or directory in /hsphere/local/home/tourgogg/sconnietours.com/index.php on line 78 Warning: main(): Failed opening 'includes/cart&PHPSESSID=06c8d3283f2398a3d0bcbead52a22a12.php' for inclusion (include_path='.:/usr/local/lib/php:/usr/local/share/pear') in /hsphere/local/home/tourgogg/sconnietours.com/index.php on line 78 thats the ERROR THE CODE ON LINE 78 of my index is <? include("includes/$page_name"); ?> Quote Link to comment Share on other sites More sharing options...
axhi Posted July 12, 2007 Author Share Posted July 12, 2007 <table width='850' border='00' align='center' cellpadding='00' cellspacing='0'> <tr> <td><div align='left'> <p>We are almost ready now! We just need you to fill out this form and then its on our way to a secure payment using PayPal! </p> </div></td> </tr> <tr> <td><form method='post' action='http://www.sconnietours.com/forms/form.php' name='tourform'> <input type='hidden' name='env_report' value='REMOTE_HOST,REMOTE_ADDR,HTTP_USER_AGENT,AUTH_TYPE,REMOTE_USER'> <input type='hidden' name='recipients' value='salesRTQ7B9CYsconnietours.com' /> <input type='hidden' name='required' value='email:Your email address,realname:Your name' /> <input type='hidden' name='subject' value='Tour Sale Information' /> <input type='hidden' name='good_url' value='/?cart' /> <table width='677' border='1' align='left' cellpadding='1' cellspacing='0' bordercolor='#000000' bgcolor='#BDC1EE'> <tr> <td width='176'> <p>Name:</p></td> <td colspan='2'><input type='text' name='realname' /> </td> </tr> <tr> <td> <p>E-Mail Address:</p></td> <td colspan='2'><input type='text' name='email' /> </td> </tr> <tr> <td> <p>Cell Phone Number:</p></td> <td colspan='2'><input type='text' name='cell' /> </td> </tr> <tr><td> <p>Carrier:</p></td> <td colspan='2'><select name='carr[]' value='carr' /> <option value='Please choose one of the following' selected>Please choose one of the following:</option> <option value='att'>AT&T\Cingular</option> <option value='sprint'>Sprint</option> <option value='verizon'>Verizon</option> <option value='tmob'>T-Mobile</option> <option value='virgmob'>Virgin Mobile</option> <option value='nextel'>Nextel</option> <option value='Other'>Other</option> </select> </td> </tr> <tr> <td valign='top'><p>If other please specify:</p></td> <td colspan='2' valign='top'> <input name='carr[]' type='text' /> </td> </tr> <tr> <td valign='top'> <p>Address:</p></td> <td colspan='2' valign='top'><p> <input name='add[]' type='text' id='add1' /> <Br> <input name='add[]' type='text' id='add2' /></p> </td> </tr> <tr> <td> <p>City:</p></td> <td colspan='2'><input name='city' type='text' id='city' /> </td> </tr> <tr><td><p>State:</p></td> <td colspan='2'><select name='states[]' id='states'> <option value='al'>AL</option> <option value='ak'>AK</option> <option value='az'>AZ</option> <option value='ar'>AR</option> <option value='ca'>CA</option> <option value='co'>CO</option> <option value='ct'>CT</option> <option value='de'>DE</option> <option value='fl'>FL</option> <option value='ga'>GA</option> <option value='hi'>HI</option> <option value='id'>ID</option> <option value='il'>IL</option> <option value='in'>IN</option> <option value='ia'>IA</option> <option value='ks'>KS</option> <option value='ky'>KY</option> <option value='la'>LA</option> <option value='me'>ME</option> <option value='mh'>MH</option> <option value='md'>MD</option> <option value='ma'>MA</option> <option value='mi'>MI</option> <option value='mn'>MN</option> <option value='ms'>MS</option> <option value='mo'>MO</option> <option value='mt'>MT</option> <option value='ne'>NE</option> <option value='nv'>NV</option> <option value='nh'>NH</option> <option value='nk'>NK</option> <option value='nm'>NM</option> <option value='ny'>NY</option> <option value='nc'>NC</option> <option value='nd'>ND</option> <option value='oh'>OH</option> <option value='ok'>OK</option> <option value='or'>OR</option> <option value='pa'>PA</option> <option value='ri'>RI</option> <option value='sc'>SC</option> <option value='sd'>SD</option> <option value='tn'>TN</option> <option value='tx'>TX</option> <option value='ut'>UT</option> <option value='vt'>VT</option> <option value='va'>VA</option> <option value='wa'>WA</option> <option value='wv'>WV</option> <option value='wi'>WI</option> <option value='wy'>WY </option> </select> </td> </tr><tr> <td> <p>Zip:</p></td> <td colspan='2'><input name='zip' type='text' id='zip' /> </td> </tr><tr> <td> <p>Birthday:</p></td> <td colspan='2'><input name='bday' type='text' id='bday' /> </td> </tr><tr> <td valign='top'> <p>Emergency Contact: </p></td> <td width='134' valign='top'><p>Name: <br> Relationship: <br> Phone Number:</p> </td> <td width='162' valign='top'><p> <input name='emergency[]' type='text' id='name' /> <br> <input name='emergency[]' type='text' id='relation'/> <br> <input name='emergency[]' type='text' id='phone' /> </p> </p> </p> </td> </tr> <tr> <td><input name='submit' type='submit' value='Submit' /></td> <td colspan='2'></td> </tr> </table> <div align='center'></div> </form> </td> </tr> </table> <p></p> thats the code Quote Link to comment Share on other sites More sharing options...
trq Posted July 12, 2007 Share Posted July 12, 2007 Ok.. we need to see some code a few lines prior and including line 78 of /hsphere/local/home/tourgogg/sconnietours.com/index.php. Also.. be sure to let us know which is line 78. Quote Link to comment Share on other sites More sharing options...
per1os Posted July 12, 2007 Share Posted July 12, 2007 Wrong code, we need the php file where cart.php is suppose to be included. That is the problem. For some reason the phpsession id is being appended to that. Quote Link to comment Share on other sites More sharing options...
axhi Posted July 12, 2007 Author Share Posted July 12, 2007 <tr> <td class="style2"><table width="884" border="00" align="center" cellpadding="1" cellspacing="1"> <tr> <td width="880" height="12" colspan="3" class="text"> <div align="left"> <? include("includes/$page_name"); ?> </div></td> </tr> </table></td> </tr> <tr> include is line 78 Quote Link to comment Share on other sites More sharing options...
trq Posted July 12, 2007 Share Posted July 12, 2007 where do you define $page_name ? Can we see it? Quote Link to comment Share on other sites More sharing options...
axhi Posted July 12, 2007 Author Share Posted July 12, 2007 <? $page_title = "Sconnie™ Tours"; $page_name = ($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : 'main'; $page_name = $page_name . '.php'; ?> <html> <head> thats on index.php on lines 1-5 Quote Link to comment Share on other sites More sharing options...
trq Posted July 12, 2007 Share Posted July 12, 2007 I see the problem. The users experiencing this issue more than likely have cookies disabled. hence php is attempting to maintain your session via the url. This is why your getting PHPSESSID=06c8d3283f2398a3d0bcbead52a22a12 appended. You either need to disable this functionality within your php.ini and have your users enable cookies for your site, or somehow restructure your logic to work around the issue. Looking at what your doing though, there are quite a few security concerns regarding the include of a file without firstly checking for its existence. This could be a rather large problem. Quote Link to comment Share on other sites More sharing options...
axhi Posted July 12, 2007 Author Share Posted July 12, 2007 what do you mean include w/o checking for its existence? How do I check for its existence? Sorry I'm a bit new to php and still learning. Is there something I could look at that would help me know how to disable cookies or work around this problem? Quote Link to comment Share on other sites More sharing options...
axhi Posted July 12, 2007 Author Share Posted July 12, 2007 what if i did start a session w/ the user on their connect...would that help? Quote Link to comment Share on other sites More sharing options...
per1os Posted July 12, 2007 Share Posted July 12, 2007 www.php.net/file_exists is what Thorpe is talking about. But still you should check to make sure that data was not altered by someoen else. All I have to do is add this to the query string: http://www.someremotesiteofmine.com/destroy_site to the query string and that file will be included which in return could wipe out all the files on your site. Not a good thing to have happen. It is best to check that data and verify that it is legit before including. Quote Link to comment Share on other sites More sharing options...
trq Posted July 12, 2007 Share Posted July 12, 2007 what if i did start a session w/ the user on their connect...would that help? Not sure what your saying. The problem (appears to me) to be that some users have cookies disabled. sessions require cookies to function normally, if cookies are disabled php will try to maintain state through the url by appending the session id there. Now, your trying to include files called directly through the url. So...when this session id appears in the url your code tries to include a file that looks like... PHPSESSID=06c8d3283f2398a3d0bcbead52a22a12.php Which obviously does not exist. Hence your error. I'm not going to write a solution to this issue as there is probably a fair amount of work involved. If you did not write this code or feel your not up to the task you might need to post in the freelance forum to see if you can get someone to fix the issue. Otherwise, I have pointed out what I think the problem is, its up to you to fix it. Quote Link to comment Share on other sites More sharing options...
axhi Posted July 12, 2007 Author Share Posted July 12, 2007 THANKS EVERYONE! Quote Link to comment Share on other sites More sharing options...
per1os Posted July 12, 2007 Share Posted July 12, 2007 Here is a simple fix to your session problem, note that if I were you I would take care of the possible exploit that could happen. But this will solve the problem half-assed and very unsecure. <?php $page_title = "Sconnie™ Tours"; $page_name = ($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : 'main'; $position = strpos($page_name, 'PHPSESSID='); if ($position !== FALSE) { $page_name = substr($page_name, 0, $position); } $page_name = $page_name . '.php'; ?> <html> <head> Just remember there is a much bigger problem at hand with what I posted above. I HIGHLY you fix that issue ASAP. Bah my conscience got the best of me. <?php $page_title = "Sconnie™ Tours"; $page_name = ($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : 'main'; if (eregi('http:', $page_name) || eregi('\./|\.\./', $page_name) { $page_name = 'main'; // someone tried to get into the site } $position = strpos($page_name, 'PHPSESSID='); if ($position !== FALSE) { $page_name = substr($page_name, 0, $position); } $page_name = $page_name . '.php'; if (!file_exist($page_name)) { $page_name = 'main.php'; // set it to default } ?> <html> <head> Now I am not sure if this would work, I would suggest testing it before pushing it to production, but should prevent against most attacks. The only part im not sure about is the second ereg with the ./ and ../ check. I think my syntax is right. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.