session_set_save_handler

[kaliok]

I am using the session_set_save_handler to store session data in m database, but I am having some trouble with getting the session id back out of the database to check if there is a current id running.

 

The following the function I am using to _read the database

 

function _read($id)

{

 

    global $_sess_db;

   

    $id = mysql_real_escape_string($id);

 

    $sql = "SELECT data

            FROM  sessions

            WHERE  id = '$id'";

   

    if ($result = mysql_query($sql, $_sess_db)) {

 

        if (mysql_num_rows($result)) {

       

            $record = mysql_fetch_assoc($result);

         

            return $record['data']; 

        }

    }

 

    return '';

}

 

In the code I call the session_set_save_handler from I am able to write to the database fine, but when I try to read from it to see if there is a session in progress I can't seem to get it show me the session id or anything...

 

include 'sessionhandler.inc';

session_start();

$_SESSION['name'] = "mysessionname";

echo "<br>the session data is: ".$record['data'];

[test to see if the session is there and that is equal to md5($_SERVER['HTTP_USER_AGENT')]

....

 

Perhaps someone can help. Hope it makes sense what I am trying to do. Thanks.

[dzysyak]

You can look an example here - http://www.php.net/session_set_save_handler

You can find database example too.

 

[redarrow]

Many people are using session_set_save_handler to store the session in a session database, which ofcourse is both valid and smart since it (could) increas security.

 

What many people forgets, is that session ids can easily be edited by a user as he see fit (by editing a session_cookie for example*)

 

* If you like to play around to test your site, check Add n edit Cookies extension for firefox.

 

This might not be a big deal when saving them in a file, since the worst thing that may happen is that the user losts his session and a new one is generated. But when saving to an DB it is*. One should never trust that the server itself add slashes and escapes other vital characters.

 

* A google search for "SQL Injection" gives 716 000 hits.

 

Example code, none working:

<?PHP

 

    function read ($session_id)

    {

        $sql        = mysql_query("SELECT * FROM mysessions WHERE session_id=$session_id");

        $data= mysql_fetch_array($sql);

 

        }

    }

 

?>

 

Is obviously flawed. Since setting our session ID to "; drop mysessions; " would create serious problems.

 

A more suitable approch would be, something in the lines of:

 

Example code, none working:

<?PHP

 

    function read ($session_id)

    {

 

  // ( Code by php.net )

  if (get_magic_quotes_gpc()) {

      $session_id = stripslashes($session_id);

  }

  // Quote if not integer

  if (!is_numeric($session_id)) {

      $session_id = mysql_real_escape_string($session_id);

  }

 

        $sql        = mysql_query("SELECT * FROM mysessions WHERE session_id=$session_id");

        $fieldarray = mysql_fetch_array($sql);

 

        }

    }

 

?>

 

I quick checked different sample codes and tutorials and none of them actually escaped session ids.

 

That's my two cents for too night,

Niklas

[kaliok]

Thanks for your help.

 

I am still somewhat confused,  I think the problem I am having is to do with variables not being available in the file that is calling the the .inc file that contains the functions for session_set_save_handler. I'll definitely take up your suggestions of escaping the data and adding slashes once I have got the rest of the code working. But as I say I am still having some problems with the variables, I thought that making it a global variable would make it happy but still doesn't seem to work... Thanks again for your help.