PHP newbie...sessions vs. other variables. 2

[Kendo]

I'm primarily a ColdFusion programmer, and I'm a bit confused about how session variables (how indeed all variables) are scoped in PHP.

For example(I'm new - be gentle!) I'm registering a session variable called UserID. I want to check if that variable has content, and if it does, to print it to the screen. To do this I'm using isSet and check to see if the string is empty (!='').

But if I simply pass in a URL variable called userID it still prints that variable to the screen. So how do I get PHP to know what kind of variable it is that's being sent? Are there ways of defining scope in PHP?

Thanks in advance and sorry for being a nuisance.

 

[JimEkleberry]

Kendo, The first place that I would point you to is the session page of the PHP manual (

http://www.php.net/manual/ref.session.php).

There you will find all of the functions associated with working with sessions, user provided information, and leads to other areas.

The next place would be PHPBuilder (

http://www.phpbuilder.com)

for some great articles, how-to’s, and the forums.

Session variables are registered using the session_start() and session_register() functions. If I wanted to set a session variable named mystring to a value of “testing for a string” the top of my page would be

<?
session_start();
session_register(“mystring”);
$mystring = “testing for a string”;
?>

As you can see, the session variable is referenced just like any other variable. Therefore, you are not able to distinguish between a local variable named mystring and a session variable named mystring; they will be one and the same.

I hope that this helps. If you need any additional information just let me know.

 

[Kendo]

Firstly, thank you for your quick response. The information you've given me is pretty much what I've already read, but I'll try to work with what you've given me within an example. Hopefully that'll get my problem across.

In your example, later down the page I want to test for $mystring, and if it exists and has a value to echo it to the screen:

if (isset($mystring)) and $mystring!='' ) {
echo $mystring
}

However, say I also have a url variable called mystring, ie. index.php?mystring=override

Which takes precedent?

My problem is with a login script, where I'm setting a session variable called 'userID' (along with 'securitylevel'). Around the site, I'll be using these session variables to check that the person has correct access rights. However, if all the user needs to do is 'spoof' the securitylevel session variable by having it in the query string (url), then this is not going to be secure.

Sorry if this was long winded! And thanks again for your reply, Jim.

 

[JimEkleberry]

Whichever made the last assignment would be the value. In most cases this would be the url value because that value is typically checked later in the page.

The scenario you describe is most definitely not advisable. Is this for an Intranet or public accessed web site? I typically handle such a thing by using a database table called sessions in which I store the session information for each user. In the URL I simply pass the sessionid, which is the primary key for the record in the sessions table. At the beginning of each page I call an include file that queries the session table for the supplied sessionid.

This way no “relevant” information is available from the url and I can track where the user visits, for how long, what links they follow, etc. to get statistics for improving my site, the navigation, or product areas to expand.

I hope that my rambling helps and was of at least some use to you.

 

[Kendo]

Ah...suddenly it all becomes clear. Right...I suppose I was hoping to avoid making an extra database hit on each page, but I suppose it won't really make an noticeable difference. It adds another layer of security too, to not only check that $sessionID exists and has a value, but also to check that it's in the 'sessions' table too. Good, good.

I was planning to use this code for a forumm, by the way, so in that case it is very, very public.

In your post you say that you pass sessionID as a URL variable... is that because of the possibility that some people might not be using cookies? Otherwise, if I'm thinking of it correctly, there's no actual need to pass it in the URL, right?

PS. I'm curious as to how you go about pruning the 'sessions' table? My solution would be to add a lastAccessed field to the 'sessions' table and update that every time a user hits any page, and at the same time purge any that are over, say, 30 mins old.

PPS. Thanks for clueing me up!

 

[rycamor]

WAIT!

Sorry to jump in, but there is a very important fact being missed here. JimEkleberry, please read the following links before talking about PHP variable scope:

http://www.php.net/manual/en/language.variables.predefined.php

http://www.php.net/manual/en/language.variables.external.php

There is a direct answer to Kendo's original question. Yes, you can distinguish between variables set by the session, and variables passed on the URL. In fact you can distinguish the scoping of any PHP environment variables if you want. If you do things right, your session variables CANNOT be spoofed.

Most PHP users run PHP in its default configuration to automatically make all HTTP environment variables global (register_globals = On in php.ini). This provides for easy (lazy) programming, but can also cause security vulnerabilities, and it can make a large application harder to debug.

Even if you don't change this setting, though, you can still know where a certain variable comes from:

if(isset($HTTP_GET_VARS[&quot;var_name&quot;])){
//This checks to see if $var_name was set on the URL
}

if(isset($HTTP_POST_VARS[&quot;var_name&quot;])){
//checks to see if $var_name is a POST value
}

if(isset($HTTP_SESSION_VARS[&quot;var_name&quot;])){
// aha! is this a session variable?
}

if(isset($HTTP_COOKIE_VARS[&quot;var_name&quot;])){
// or is it just a cookie?
}

var_dump($HTTP_SESSION_VARS);
//output all current session variables, etc...

And again, JimEkleberry -- on your second post-- PHP sessions were devised to solve just that problem, without requiring a database hit for every visit to a web page.

Session variables are never passed on the URL, just the session key. PHP stores the actual variables in server-side temp files according to the key name. The PHP session id ($PHPSESSID, usually), is either stored as a cookie, or passed on the URL. (but not the variable values themselves).

Thus, as long as you explicitly check for your session variables in the $HTTP_SESSION_VARS array, you will be safe.

NOTE: in PHP 4.1 and up, these arrays can now be referenced in a &quot;shorthand&quot; notation, such as $_SESSION[&quot;var_name&quot;], or $_GET[&quot;var_name&quot;].

And, just for fun, set some session vars and then visit a PHP page with the following code:

<?php
phpinfo();
?>

It will show you all kinds of information about your environment. While browsing this page, add some variables to the URL query string, and you will see them echoed below also. -------------------------------------------

&quot;Calculus is just the meaningless manipulation of higher symbols&quot;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-unknown F student

 

[JimEkleberry]

rycamor, Thank you very much for the informative post.

Unfortunately I still need the db table to track my visitor's actions, but the information you provided will most definitely help kendo.