A Flash Developer Resource Site

Results 1 to 16 of 16

Thread: Sessions, PHP, Javascript, ExternalInterface, OH MY!

  1. #1
    Senior Member
    Join Date
    Sep 2000
    Posts
    272

    Sessions, PHP, Javascript, ExternalInterface, OH MY!

    Greetings all,

    I need help getting a php session variable into a javascript function so I can read it via externalinterface in flash.

    here is what I have:

    create my session--
    <?php
    //initiate session
    session_start();
    //check that form has been submitted and that name is not empty
    if ($_POST && !empty($_POST['name'])){
    //set session variable
    $_SESSION['name'] = $_POST['name'];
    header("Location: session03.php");
    }
    ?>

    The above works great for creating the session, just can't read it in flash as far as I know as it is PHP.


    This is javascript that I got from the flash tutorial and would like to modify so it will read the data from the php session above:

    <script>
    function sayHello(name) {
    var myValue=document.location.search.substring(1)
    return myValue;
    }
    </script>

    I know I need to change the var myValue=document..... area at least, but can't quite get it.

    any help will be greatly appreciated.

  2. #2
    FK's Official Mac Hater jasonsplace's Avatar
    Join Date
    Mar 2002
    Location
    Provo, Utah
    Posts
    2,245
    var myValue=<?php echo $variableNameThatYouWant; ?>
    Jason L. Wright
    I'm not that hard to imitate. Just make some random negative claim at Apple or anything else for that matter and then have nothing to back it up.

  3. #3
    Registered User
    Join Date
    Feb 2001
    Posts
    13,041
    Hi,

    why doyou need the session id inside your swf? All messaes sent from the swf to the server are accompanied by the sessionid anyways .... at least if sessions are started by the page embedding the swf

    Musicman

  4. #4
    Senior Member
    Join Date
    Sep 2000
    Posts
    272

    Thanks

    First,
    Thanks jasonsplace, it is greatly appreciated.

    Musicman,

    I understand what you are saying, but I have never used that capability. What I currently have is the info being sent from the swf thru php to mysql. Can I easily attach the session id,(which is the studentid), to the variables I am sending from the swf?

    Any guidance would be greatly appreciated.

  5. #5
    Official FK nice guy and MOD 3PRIMATES's Avatar
    Join Date
    Apr 2002
    Location
    Portland Oregon
    Posts
    1,645
    Hey there, I think wht Musicman is saying is that:

    The session value never needs to leave the php script really.
    You can work all the session values directly in the php script without having to pass it back and forth from the swf, because if the session was set then the php always has access to it.

    So, if you set a session in the php script for the studentId, then that session will remain available in the php script for doing querys and aother operations until you destroy the session or close the browser "windows".

    I say "windows" because a session will sometimes remain intact until all browser windows are closed, not just the one that the script was running in.

    I would for sure not pass any login information back and forth between the script and Flash. What I mean is, dont hold the logged in value in flash and use that to verify that the client is logged in.

    Always check credentials with the script rather than a world viewable document like the swf which can be decompiled and manipulated to output data that you had not entended.

    So instead of passing the studentId back and forth, you can run a function in php to get the data you need by using $_SESSION['studentId'];
    PHP Code:
    function getValuesForId()
    {
    /* 
    NOTE: you never want to just use the session id to determine a logged in
    status. Always check the login credentials prior to doing a query or
    manipulating an data. So, the query below should be wrapped or changed to
    allow for the checking of the post and session logged values.
    */

    if(isset($_SESSION['studentId']) && !empty($_SESSION['studentId']))
    {
    // do a query here and return values for swf
    }
    else
    {
    // do 'no session/not logged in' error here and return values for swf
    }

    Make sense?

    3P
    Last edited by 3PRIMATES; 11-02-2007 at 11:55 PM.

  6. #6
    Registered User
    Join Date
    Feb 2001
    Posts
    13,041
    Hi,

    assuming that the site wants the student to login, and then presents a swf to sign up for courses, you would enter something like $_POST['courseId'] into the database. At this point it is as simple as adding the $_SESSION['studentId'] to the data that are captured.
    3PRIMATES mentioned security. Let me spell it out directly: if the site sends the student name / id from the server to the swf,and the swf sends it back to the server, anybody able to "view source" might be able to send false data, in this example sign up somebody else for a course.
    With sessions, the browser sends some long string of random characters which was previously given to it by the server. This is secure because
    - an attacker cannot guess other session id's (where it is easy to guess other valid student id's)
    - an attacker could only add database records for somebody who is online at about the same time (sessions tend todisappear after 15 minutes of inactivity)

    Musicman

  7. #7
    Senior Member
    Join Date
    Sep 2000
    Posts
    272

    Help me....

    Well,

    I am certainly learning quite a bit here...

    Right,

    As I said previously I am sending data to my database through php from flash.

    PHP Snippet here:

    $insertSQL = "INSERT INTO thecourse_tbl (SCN, Course, Date) VALUES ( '$SCN', '$course', '$date')";

    Actionscript snippet:

    lvSend.SCN = tSCN.text;
    lvSend.Course = tCourse.text;
    lvSend.sendAndLoad("processMe.php", lvReceive, "POST");

    Currently, student inputs their student id into an input field at the beginning of a lesson. This is how I was capturing it. This was fine when we started out, but now there is to be an expansion of lessons delivered as homework online and I know I need to change my setup.

    What I planned on doing was capturing the SCN using externalinterface as in my original post and the answer from jasonsplace. I see now there is another way. How can I modify my existing code to accomplish this, or can I? All things key off the SCN (student id number). If I need to change my actionscript/php habits, now would be the time to do so.

    Any further info will be greatly appreciated.

  8. #8
    Registered User
    Join Date
    Feb 2001
    Posts
    13,041
    Hi,

    it looks like omitting the student id in flash and replacing the $_POST['SCN'] in the php part by $_SESSION['SCN']

    Musicman

  9. #9
    Senior Member
    Join Date
    Sep 2000
    Posts
    272

    Will give it a go

    Musicman,

    Thanks for the info.

    I shall give it a go when I get back to work on 7 Nov.

    Will let you know how it went.

    Thanks!

  10. #10
    Senior Member
    Join Date
    Sep 2000
    Posts
    272

    Hey Musicman....

    Hello Musicman,

    Well I was able to capture sessions and read info back from the database and display it in my flash file, however....I am having a few problems. If you can help, or anyone else here is what I have:

    First, I have a login working and initiating the session, however, if the user only puts in their username it lets them in. I can't seem to get it to require both the username and password, here is my code:

    PHP:

    <?php
    $username = $_POST["username"];
    $password = $_POST["password"];
    $users = mysql_connect("localhost", "root", "");
    if(!$users) //error checking
    {
    echo "<p>Sorry! We could not log you in at this time. Please Try again later!</p>";
    }
    mysql_select_db("users", $users);
    $recieve = sprintf("SELECT * FROM users WHERE username= '$username'")or die(mysql_error());
    mysql_real_escape_string($username);
    $query = mysql_query($recieve);
    session_start();
    if($rows = mysql_num_rows($query))
    {
    //$_SESSION["pwd"] = $password; //store the users password in a sesions var
    $_SESSION["user"] = $_POST["username"]; //store the username in a session var
    header("location: homepage.php");
    }
    else //if not, end incorrect sessions, and go to the index
    {
    @session_destroy();
    header("location: login.php"); //return to login
    }
    ?>

    Now, I can capture the sessions, so I wanted to query the database for info so the user can see what they have completed. I adapted an old file and came up with this:

    PHP CODE:

    the retrieve function is as follows:

    function retrieveData(){
    global $conn;
    //
    //$selectSQL = ("SELECT * FROM users WHERE username='1111111'") or die(mysql_error());
    $selectSQL = "SELECT * FROM users WHERE username= '$_SESSION['user']'" or die(mysql_error();

    $rs = mysql_query($selectSQL,$conn);

    //generate the xml file
    echo "<?xml version=\"1.0\"?>\n";
    echo "<entries>\n";

    while($row = mysql_fetch_assoc($rs)){
    echo "<log>\n";
    echo "<name>".$row['username']."</name>\n";
    echo "<course>".$row['password']."</course>\n";
    echo "<date>".$row['expires']."</date>\n";
    echo "<message>".$row['Message']."</message>\n";
    echo "</log>\n";
    }
    #now lets end the xml file
    echo "</entries>\n";


    #close the mySQL connection
    mysql_close($conn);
    }
    ?>

    As you may notice, I can capture the record I am looking for as long as I hardcode it. If I try to use the session -- $_SESSION['user'] -- I receive nothing. I can see the the session info on the page with the following and it displays the session info properly:

    <?php
    //check session variable is set
    if (isset($_SESSION['user'])){
    //if set, greet by name
    echo 'Hi, '.$_SESSION['user'].'. <a href="somepage.php">Next</a>'; //- I commented this out...
    //header("Location: logout.php")';
    }
    else{
    //if not set, send back to login
    echo 'Who are you? <a href = "login.php">Login</a>';
    }
    ?>

    It is obvious I am missing something, and any help will be appreciated.

    Thanks in advance.

  11. #11
    Official FK nice guy and MOD 3PRIMATES's Avatar
    Join Date
    Apr 2002
    Location
    Portland Oregon
    Posts
    1,645
    Hi there.
    Give this a try:
    I renamed some of the variables to make more sense.

    Use mysql_real_escape_string on all user supplied data before it goes to the query.

    Shortend selection query. No real need to have the extra variables and data.

    extended your first if statement to include an else to wrap the selection query and output.

    PHP Code:
    <?php

    $username 
    mysql_real_escape_string($_POST["username"]);
    $password mysql_real_escape_string($_POST["password"]);

    $dbConn mysql_connect("localhost""root""");
    if(!
    $dbConn//error checking
    {
    echo 
    "<p>Sorry! The database is unavailable at this time!</p>";
    }
    else
    {
    session_start();
    mysql_select_db("users"$dbConn);
    $query mysql_query("SELECT * FROM users WHERE username= '".$username."'AND password='".$password."' LIMIT 1") or die(mysql_error());

    if(
    mysql_num_rows($query) > 0)
    {
    $_SESSION["user"] = $username//store the username in a session var
    header("location: homepage.php");
    }
    else 
    // if not, end incorrect sessions, and go to the index
    {
    @
    session_destroy();
    header("location: login.php"); //return to login
    }
    }
    ?>
    3P

  12. #12
    Senior Member
    Join Date
    Sep 2000
    Posts
    272

    Thanks

    Hey 3PRIMATES;

    I was able to get the login working using your code. I did have to make a few modifications as shown below. Thanks again.

    PHP Code:
    <?php 
    $username 
    $_POST["username"];
    $password $_POST["password"];
    $users mysql_connect("localhost""root"""); 
    if(!
    $users//error checking :D 

    echo 
    "<p>Sorry! The database is unavailable at this time!</p>"

    else 

    session_start(); 
    mysql_select_db("users"$users); 
    //$query = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());  
    $recieve sprintf("SELECT * FROM users WHERE username= '$username' AND password= '$password' LIMIT 1") or die(mysql_error()); 
    $query mysql_query($recieve);
    if(
    mysql_num_rows($query) > 0

    $_SESSION["user"] = $username//store the username in a session var 
    header("location: portal.php"); 

    else 
    // if not, end incorrect sessions, and go to the index 

    @
    session_destroy(); 
    header("location: login.php"); //return to login 


    ?>

  13. #13
    Official FK nice guy and MOD 3PRIMATES's Avatar
    Join Date
    Apr 2002
    Location
    Portland Oregon
    Posts
    1,645
    Hey there, I see that you removed mysql_real_escape_string.
    If you dont use that, you reall need to have some way to remove bad characters from the user input. And better yet is to not allow the characters in the first place. For the user name and password fields limit the characters to a-z | A-Z | 0-9
    If the input contains anything else, throw em back to the login.
    With that, I would also use addslashes. But I myself thing mysql_real_esacpe_string works better.

    If I was to go to your website and login I would be able to take control of your database by using a sql injection attack to append bad data to the login variables.

    Look at this example and tell me what you think would happen if I entered this string in the username and password fields:

    'someUserName' OR 'x'='x'
    'somePassword' OR 'x'='x'

    Heres what the new query would look like in your script:
    PHP Code:
    $recieve sprintf("SELECT * FROM users WHERE username= 'someUsername' OR 'x'='x' AND password= 'somePassword' OR 'x'='x' LIMIT 1") or die(mysql_error()); 

    Well, I just logged in without having a real username or password because I "injected" sql into your query and now have total access to do whatever I want. On most occasions this means adding data, moving tables and even deleting databases.

    Make sense?

    3P
    Last edited by 3PRIMATES; 11-15-2007 at 07:53 PM.

  14. #14
    Registered User
    Join Date
    Feb 2001
    Posts
    13,041
    Hi,

    some info about mysql_real_escape_string:
    Many websites have php configured with magic_quotes on. This means that the apostrophe ' is delivered to your script as \' - just to prevent this kind of attack. This method is safe IF your server's mysql default language is one-byte (ascii, iso-8859-x)
    mysql_real_escape_string can handle the special cases related to multibyte languages (i.e some weird two or 3 byte sequences resulting in an apostrophe) and is probably a must if the server default is an asian language.
    mysql_real_escape_string does not work well with magic_quotes, you should turn them off if you want to use it.

    Musicman

  15. #15
    Senior Member
    Join Date
    Sep 2000
    Posts
    272

    Thank you both!

    Thanks to both of you.

    I had already implemented the restriction on the input fields as mentioned.

    I contacted the IT section which controls the web server and they are making some changes based on the info you both provided me. Just stumbling through this learning as I go.

    You have both been of great assistance and it is much appreciated.

    Cheers!

  16. #16
    Official FK nice guy and MOD 3PRIMATES's Avatar
    Join Date
    Apr 2002
    Location
    Portland Oregon
    Posts
    1,645
    Not a problem, glad to help where I can.
    Make sure the input restrictions are done in PHP and not Javascript.
    Javascript input restrictions are done client side so they are not secure.
    Just thought I would mention it.


    Good Luck,
    3P

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  




Click Here to Expand Forum to Full Width

HTML5 Development Center