$_SESSION difficulties?

Up vote 0 down vote favorite share g+ share fb share tw.

. However, when I get back to that page, I am echoing the session_id() and the value of $_SESSION"userid" and only the session id shows up. It had occured to me that maybe my redirect page needs to have at the top, but if this were true, then the session_id I'm echoing would change each time I end up on the page that is echoing it.

Here is the script: php redirect login session link|improve this question asked Aug 20 '09 at 15:53user974104231312 66% accept rate.

It should be noted that what you're doing leaves you wide open to a SQL injection attack. That's not how you use mysqli. Bind your parameters instead of using string concatenation.

See au.php.net/manual/en/mysqli-stmt.bind-pa.... – cletus Aug 20 '09 at 16:08 Hm, I will read up on that. The thing is, when typing in fields on my forms, onkeyup, a script runs that sanitizes the input, allowing only 0-9a-zA-z _-.

@ (depending on what the field is for, but that is the most liberal it gets). So, without ()-+"';:&|$, what can anyone possibly do? – user97410 Aug 20 '09 at 16:16 That script runs on the client.

It can be disabled or requests can be spoofed. Client validation is only a convenience. Never rely on client validation.

You must always check on the server. – cletus Aug 20 '09 at 16:29 Ah, good point. Okay, I will run the strings through another regex before I send it, then sanitize with mysqli_real_escape_string(), then when reading it I have to sanitize with htmlspecialchars, right?

– user97410 Aug 20 '09 at 16:30 I mean, a php regex – user97410 Aug 20 '09 at 16:31.

You're doing this: while($info = mysqli_fetch_array($sql_res)) { $userid = $_info"id"; } Where you should do this: while($info = mysqli_fetch_array($sql_res)) { $userid = $info"id"; }.

Oh you made the same typo twice in your code by the way, so make sure you change it at both points! – Ropstah Aug 20 '09 at 16:03 aren't both those loops identical? – Matthew Rapati Aug 20 '09 at 16:04 No, please note the change from $_info'id' to $info'id' – Ropstah Aug 20 '09 at 16:05 My answer as far as debugging would eventually find this - but yeah, The session value is being set wrong, so the session value is echo'ing wrong.

– McAden Aug 20 '09 at 16:05 Ha, I know there's two the same :) They are identical, but one works if the user has entered their username and password, and the second if they've only entered their email address and password. I could have worked that into once condition and then decided inside which query to make, but that way was just simpler. Thanks, guys!

– user97410 Aug 20 '09 at 16:07.

You need to call session_write_close() to store the session data changes. Side answer: you can use the $SERVER"HTTP REFERER" to redirect back, if it was filled by the browser.

Thanks, I'll look into the referer thing. I may as well ask, though, what you mean 'if it was filled by the browser'? – user97410 Aug 20 '09 at 16:05 session_write_close() should be called for you – Tom Haigh Aug 20 '09 at 16:10 In some (most?

) browsers you can tell the browser not to send a referer header. For example in firefox set network.http. SendRefererHeader value to 0 to disable sending referrers.

– Zed Aug 20 '09 at 16:13 Ah, I see. So, I would just use header("Location: ". $_SERVER"HTTPREFERER".

"");? – user97410 Aug 20 '09 at 16:18.

Php session_start(); Is at the top of each page. Additionally, you can test by commenting out your redirects and echo'ing the value you're setting with to make sure you're retrieving/storing the correct value to begin with.