4 replies to this topic

[sylvain]

Hello all !

I'm using session to store some search parameters.
It's ok on subpages but when I try to print session vars, there's something strange :

__PHP_Incomplete_Class Object
(
	[__PHP_Incomplete_Class_Name] => WireInputData
	[stripSlashes:protected] => 0
	[data:protected] => Array
		(
			[cmbtype] => voiture
			[cmblargeur] => 7
			[cmbhauteur] => 0
			[cmbdiametre] => 10
			[cmbcharge] => 0
			[cmbvitesse] => 5
			[cmbmanufacturer] =>
			[price] =>
		)
)

and on the other pages, everything seems to be correct :

	 WireInputData Object
(
	[stripSlashes:protected] => 0
	[data:protected] => Array
		(
			[cmbtype] => voiture
			[cmblargeur] => 7
			[cmbhauteur] => 0
			[cmbdiametre] => 10
			[cmbcharge] => 0
			[cmbvitesse] => 5
			[cmbmanufacturer] =>
			[price] =>
		)
)

Do you have an idea ?

For information, I do not stock a value, but an array.

Thank you !

[ryan]

Welcome to the forums Sylvain! It looks to me like you are storing the entire $input->post or $input->get as a session variable (though let me know if I'm wrong?).

// avoid doing this
$session->something = $input->post; 

Instead, you just want to store specific variables from post/get after validating/sanitizing them. For instance, here's how you might store a variable called num_people, submitted via POST in a session:

$session->num_people = (int) $input->post->num_people;

Then at any other request during that session, you should be able to retrieve the value like this:

echo "Number of people: " . $session->num_people;

[sylvain]

Hello Ryan, yes it's exact !

I want to store an array because I've several search engines on my home page. it's easy to retrieve datas (sanitized) from an engine by stocking an array in session.
$session->engine1datas, $session->engine2datas, $session->engine3datas, where engine1datas, engine2datas, engine3datas are arrays.

For example, I'm doing like that : $session->set("engine1datas",$input->post);

But it doesn't work only when I try to read session on the home page, that's strange...

[ryan]

That doesn't work because $input->post is an object, not an array. If you wanted to get a PHP array, you'd call $input->post->getArray(); instead.

However, I would be very careful about blindly storing everything from GET/POST into a $session. Keep in mind that data in a session is stored on your server, not on the client side like a cookie. You want to know exactly what you are storing in $session and make sure that its clean. Storing everything from POST into $session would be a security hole in any application. How the hole could be exploited would come down to what you are doing with the stored data... you would certainly have to treat it as tainted data any time you retrieved it, which is different from how we usually think of session data. Another way it could be exploited is by someone repeatedly submitting huge POSTs and filling up your hard drive with session data, or DDOSing with giant posted arrays. So if you go the route of storing unknown POST data, you can't really validate it. But I would at least sanitize it by limiting the quantity of elements you store, limiting the length (bytes) and depth of those elements, make all the array elements strings, and running them through htmlentities() before storing in the session.

[sylvain]

Many thanks Ryan for your answer !
I know exactly how many datas are stored, their lenght and from where it can be posted. But you're right, it's not the more secure way if we don't take care about security holes.

Thank you Ryan, PW is a great tool !