why isn't conditional statement working??

[waydown]

Hi,
I asked a question about Tokens earlier. After debugging I've found the reason as to why my program isn't working. It's related to this statement:

if($token == $_SESSION['token'])
     { ........; 
       return true;
     }

$token is generated in form using md5(uniqid()). When I echo both $token and $_SESSION['token'] before the if statement they both turn out to be the same. Yet for some reason the if statement is not being satisfied and is not returning true as it's supposed to do. (I've tried $token === $_SESSION['token'] as well.) I don't know if some kind of type casting or other is required for the conditional statement to work. Would be grateful for any suggestions.

 

[feherke]

Hi

A leading/tailing newline somewhere ? See whether [tt]trim[teal]([/teal][navy]$token[/navy][teal])[/teal] [teal]==[/teal] trim[teal]([/teal][navy]$_SESSION[/navy][teal][[/teal][green]'token'[/green][teal]])[/teal][/tt] works.

Feherke.
feherke.ga

 

[ChrisHirst]

For reference thread434-1739740

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[waydown]

Hello,
Many thanks for the reply. I've used trim() but it's not solving the problem. I used var_dump() on both values and the following is obtained:

string 'be33cfc1f0eed02e8176d7281975b05e' (length=41)

string 'be33cfc1f0eed02e8176d7281975b05e' (length=32)

If there are any extra white-space/non-printing characters I don't know how to locate and remove them. Could you please suggest a solution.

 

[jpadie]

so one of them (the first) contains a bunch of non-printing characters. we know this because it is 41 chars long and only 32 are printed.

you have not told us which nor how they are stored nor how they are submitted. so it is difficult to tell you why (charset clashes perhaps). i would want to see the whole code you use for generating and validating and a dump of the server vars and post vars at each point.

 

[waydown]

Hello,
I have included the following code that is relevant to the problem described above:

<?php

    class Token
    {  public static function generate()
       {  return Session::put('token'), md5(uniqid()));
       }

       public static function check($token)
       { $tokenName = 'token';

         if(Session::exists($tokenName) && $token ===
Session::get($tokenName))
         { Session::delete($tokenName);  
           return true;
         }
         return false;
       }
    }
///////////////////////////////////////////////////////////////
      class Session
      {
         public static function exists($name)
         { return (isset($_SESSION[$name])) ? true : false;
         }

         public static function put($name, $value)
         { return $_SESSION[$name] = $value;
         }

         public static function get($name)
         { return $_SESSION[$name];
         }

         public static function delete($name)
         { if(self::exists($name))
           { unset($_SESSION[$name]);
           }
         }
///////////////////////////////////////////////////////////////
    class Input
    {  
       public static function get($item)
       { if(isset($_POST[$item]))
         { return $_POST[$item];
         }
         return '';
       }
    }
//////////////////////////////////////////////////////////////

   if(isset($_POST['username']) && isset($_POST['password']))
   { if(Token::check(Input::get('token')))
     { $validate = new Validate();

       $validation = ................;

       if($validation->passed())
       { $user = new User();

         $login = $user->login(Input::get('username'),
Input::get('password'));

         if($login)
         { echo 'Success';
           Redirect::to('index.php');
         }
         else
         { echo 'Sorry, login failed!';
         }
       }     //validation passed
       else
       { foreach($validation->errors() as $error)
         { echo $error, '<br>';
         }
         echo "<script> setTimeout(\"location.href =
'index.php';\",30000); </script>";
       }
     }
   }
?>

<form action="" method="POST">
<P>
  <label for="username">Username</label>
  <input type="text" name="username" id="username"

autocomplete="off">
</P>
<P>
  <label for="password">Password</label>
  <input type="password" name="password" id="password"

autocomplete="off">
</P>
<P>
  <input type="hidden" name="token" value="<?php echo

Token::generate(); ?>">
  <input type="submit" value="LOG IN">
</P>
</form>

This is what 'view source' in the browser of the var_dump() output shows:

<pre class='xdebug-var-dump' dir='ltr'><small>string</small> <font color='#cc0000'>'e62862d9f9ce6cd41fc7873c53683108'</font> <i>(length=41)</i>
</pre><br><pre class='xdebug-var-dump' dir='ltr'><small>string</small> <font color='#cc0000'>'e62862d9f9ce6cd41fc7873c53683108'</font> <i>(length=32)</i>
</pre><br>
<form action="" method="POST">
<P>
<label for="username">Username</label>
<input type="text" name="username" id="username" autocomplete="off">
</P>
<P>
<label for="password">Password</label>
<input type="password" name="password" id="password" autocomplete="off">
</P>
<P>
<input type="hidden" name="token" value="695d40eec4673a3b8a36493c67cdfbd4">
<input type="submit" value="LOG IN">
</P>
</form>

 

[ChrisHirst]

What version of PHP is your server running??



Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[waydown]

Hi, It's PHP Version 5.5.12

 

[jpadie]

i cannot see the code that is creating the output of the token in your debug bit at the top.

where is that charset set for the form? and for the html file? is there congruency?

 

[waydown]

Hi,
I tried using accept-charset="utf-8" in:
<form action="" method="POST" accept-charset="utf-8">
It did not make any difference.

i cannot see the code that is creating the output of the token

Is this the bit you're referring to:

       public static function check($token)
       { $tokenName = 'token';

echo var_dump($token)."<br>";
echo var_dump($testing)."<br>";

         if(Session::exists($tokenName) && $token ===
Session::get($tokenName))
         { Session::delete($tokenName);  
           return true;
         }
         return false;
       }

 

[waydown]

Sorry, I don't know how to edit thread here, but above in check()
$testing = Session::get($tokenName);

 

[jpadie]

is the page in utf-8 aswell?
there is an error in your token::generate() method (there is an extra close-bracket in there that is probably throwing some errors. I find it difficult to believe that the code was generating anything meaningful in fact. thus there is a doubt that you were posting the precise rendered html in each case.

public static function generate(){  
    return Session::put(  'token', 
                          md5(uniqid())
                       );
}

 

[waydown]

Hello,
Many thanks for the reply. I managed to output bytes in the two strings and this is the output I'm getting for '$token':

ef bb bf ef bb bf ef bb bf 39 31 64 32 61 66 63 31 63 61 38 63 39 32 39 66 62 63 63 35 35 61 36 38 37 31 65 36 37 33 65 61

and for '$testing':

39 31 64 32 61 66 63 31 63 61 38 63 39 32 39 66 62 63 63 35 35 61 36 38 37 31 65 36 37 33 65 61

I can see where the extra bytes are but how do I remove the extra bytes in the longer string permanently?

 

[ChrisHirst]

ef bb bf are the sequence of bytes that make up the Byte Order Mark (BOM) of UTF-8 character-set documents.





Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[jpadie]

again: make sure that every aspect of your site uses the same character set.

 

[Nilgni]

Is it possible that you didn't put session_start() and it is not seeing the session variable correctly?