Passing parameters & Session Tracking in PHP

Prof. Ami Tusharkant ChoksiAssistant Professor, Computer Engg. Dept.,

C.K.Pithawalla College of Engg. & Tech., Surat, Gujarat State, India.

What is Parameter Passing & Session Tracking?

-> Values of the text typed in user form is passed to other HTML and/or server side script is called parameter passing.

-> A session refers to all the connections that a single client might make to a server in the course of viewing any pages associated with a given application.[1]

-> Maintenance of user's state during session(e.g.login to logout) is called a Session Tracking.

Ways

Visible form parameters Hidden form parameters Cookies Session URL Rewriting

Parameter Passing with <Form>

Methods of passing parameters with <form>

GET (smaller data i.e.1024 bytes) POST(bigger data, as well as file upload)

PHP uses predefined variables $_GET['varname'] $_POST['varname']

Predefined Variables[2]

PHP provides a large number of predefined variables represent everything from external variables to built-in environment variables, last error messages to last retrieved headers to all scripts.

Superglobals — Superglobals are built-in variables that are always available in all scopes

$GLOBALS — References all variables available in global scope

$_SERVER — Server and execution environment information

$_SERVER — Server and execution environment information

$_GET — HTTP GET variables

$_POST — HTTP POST variables

$_FILES — HTTP File Upload variables

List of predefined variables [2]...

$_REQUEST — HTTP Request variables $_SESSION — Session variables $_ENV — Environment variables $_COOKIE — HTTP Cookies $php_errormsg — The previous error message $HTTP_RAW_POST_DATA — Raw POST data $http_response_header — HTTP response headers $argc — The number of arguments passed to script $argv — Array of arguments passed to script

The values of Predefined Variables

Values of predefined variables can be seen with

<?php

phpinfo()

?>

File Upload

• Writing client's file on the server is called File Upload.

• In HTML code following is must be added: • <form method="post" enctype="multipart/form-data"

action="upload.php">

FileName <input type="file" name="userfile">

• Above code will display Browse/Choose button on the browser page with which one can select a file.

File Upload HTML page in Browser

Required Configuration in /etc/php.ini File

;file_uploads must be On

file_uploads = On

; Temporary directory for HTTP uploaded files (will use system default if not specified).

upload_tmp_dir =/tmp

; Maximum allowed size for uploaded files.

upload_max_filesize = 2M

Retrieval of File at Server#/uploads must be having o+rwx permission$uploaddir = "/uploads/";$uploadfile = $uploaddir .

basename($_POST["filename"]);if (move_uploaded_file($_FILES["filename"]

["tmp_name"], $uploadfile)) { echo "File is valid, and was successfully

uploaded.\n";} else { echo "Possible file upload attack!\n";}

Session Tracking is done with

As HTTP is stateless protocol Session Tracking must be maintained by programmers with following ways:

Hidden form parameters Cookies Session URL Rewriting

Hidden Parameter Passing

Parameter is passed from 1 page to other which is not visible from user.

<input type=hidden name=”username” value=”amichoksi”>

Can be retrieved in PHP by $_GET[“username”] $_POST[“username”]

Cookies [2]

Cookies are a mechanism for storing data in the remote browser and thus tracking or identifying return users.

Set Cookie bool setcookie ( string $name string $value , int $expire=0 ,

string $path , string $domain , bool $secure=false , bool $httponly=false)

setcookie(“username”,”ami”,time()+300);

Read Cookie $_COOKIE['name']

Session [2]

A way to preserve certain data across subsequent accesses.

Session Functions [2]session_cache_expire — Return current cache expiresession_cache_limiter — Get and/or set the current cache limitersession_commit — Alias of session_write_closesession_decode — Decodes session data from a stringsession_destroy — Destroys all data registered to a sessionsession_encode — Encodes the current session data as a stringsession_get_cookie_params — Get the session cookie parameterssession_id — Get and/or set the current session idsession_is_registered — Find out whether a global variable is registered in a sessionsession_module_name — Get and/or set the current session module

session_name — Get and/or set the current session namesession_regenerate_id — Update the current session id with a newly generated onesession_register — Register one or more global variables with the current sessionsession_save_path — Get and/or set the current session save pathsession_set_cookie_params — Set the session cookie parameterssession_set_save_handler — Sets user-level session storage functionssession_start — Initialize session datasession_unregister — Unregister a global variable from the current sessionsession_unset — Free all session variablessession_write_close — Write session data and end session

Examples• File: Page1.php

• <?php

session_start();

echo 'Welcome to page #1';

$_SESSION['favcolor'] = 'green';

$_SESSION['animal'] = 'cat';

$_SESSION['time'] = time();

session_set_cookie_params(10,"/","sun.com",true, false);

?>

Example...• Filename Page2.php

session_start();

echo 'Welcome to page #2<br />';

echo $_SESSION['favcolor']; // green

echo $_SESSION['animal']; // cat

echo date('Y m d H:i:s', $_SESSION['time']);?>

• session_unset ();//releasing session data

• Echo $_SESSION['time'];//no output

URL Re-Writing• The Apache server’s mod_rewrite module

gives the ability to transparently redirect one URL to another by modifying URL (i.e. re-writing), without the user’s knowledge.

• Used in situations:-– Pass some information to other page

– redirecting old URLs to new addresses

Or - cleaning up the ‘dirty’ URLs coming from a poor

publishing system

Required Configuration and Examples

• Following line must be uncommented available in /etc/httpd/conf/httpd.conf file

LoadModule rewrite_module modules/mod_rewrite.so

• URL Rewriting examples

– http://localhost/ami/123

– http://localhost/~ami/UrlRewrite.php?name=amichoksi

Retrieval of URL Rewriting Data

• <?php

if(isset($_SERVER['PATH_INFO'])){

echo $_SERVER['PATH_INFO'];}

else if(isset($_GET['username'])) {

echo $_GET['username'];

}

?>

References

1.http://livedocs.adobe.com/coldfusion/6.1/htmldocs/shared28.htm

2.http://in.php.net/manual/en/