Session Vars loaded from MSSQL Query drop, those loadedfrom MYSQL Query stick
in [General]
|
Prev: Session Vars loaded from MSSQL Query drop, those loaded from MYSQL Query stick
Next: Valid Xml not validate with xsd
From: Ashley Sheridan on 16 Sep 2010 10:13 On Thu, 2010-09-16 at 10:11 -0400, Cheryl Sullivan wrote: > Hi there â Iâm new to this news group. Any help with this is appreciated â > > When I populate session vars from a MYSQL query, they are still there when I change pages. If I populate them from an MSSQL query, they drop. > > It doesn't matter if I get to the next page using a header redirect or a form submit. I have two session vars I'm loading from a MYSQL query and they remain, the two loaded from MSSQL disappear. > > I have confirmed that all four session vars are loading ok initially and I can echo them out to the page, but when the application moves to the next page via redirect or form submit, the two vars loaded from MSSQL are empty.. > > Any ideas? > > > Cheryl L. Sullivan > Interface Analyst / Web Developer > > Sacred Heart Hospital (www.shh.org) > 421 Chew Street ⢠Allentown, PA 18102 > Office: 610-776-4784 ⢠Cell: 484-544-2416 > ï Please consider the environment before printing this e-mail > > > > Notice: This communication, including attachments, may contain information that is confidential and protected. It constitutes non-public information intended to be conveyed only to the designated recipient(s). If you believe that you have received this communication in error, please notify the sender immediately by return e-mail and promptly delete this e-mail, including attachments without reading or saving them in any manner. The unauthorized use, dissemination, distribution, or reproduction of this e-mail, including attachments, is prohibited and may be unlawful. Thank you. > > There should be no difference. Can we see some examples of the MySQL and the MSSQL code to see what you're doing differently? Thanks, Ash http://www.ashleysheridan.co.uk
From: Andrew Ballard on 16 Sep 2010 11:18 On Thu, Sep 16, 2010 at 10:26 AM, Cheryl Sullivan <csulliva(a)shh.org> wrote: > Absolutely - > > This is from the first page > > <?php > > $_SESSION['UserLastName'] = strtolower(trim($_POST['txtLastName'])); > > $_SESSION['BadgeID'] = trim($_POST['txtBadgeID']); > > //access MS SQL Server database > > $q1 = "select * from emps where emp_last = > '".$_SESSION['UserLastName']."' and emp_badge = > '".$_SESSION['BadgeID']."'"; > > $rs_emp_info = hitMSSQL($q1,"xxxx_sql","database","table","password",1); > > $_SESSION['SSN'] = $rs_emp_info->fields("emp_ssn"); > > $_SESSION['CostCenter'] = $rs_emp_info->fields("emp_costcenter"); > > //access mySQL database > > $cnx = mysql_connect("localhost","userID","password"); > > $db = mysql_select_db("database_name"); > > $q1 = "select * from tblmainempreport where empUUID = > 'sdfsfs920090528131'"; > > $result = mysql_query($q1); > > $recArray = mysql_fetch_array($result); > > $_SESSION['empFName'] = $recArray['EmpFName']; > > ?> > > > > When I echo all five $_SESSION vars from here, they are all populated. > Then I can either redirect or form post to the next page. Â In either > case, the $_SESSION vars populated from SQL Server ( the SSN and Cost > Center vars) are blank when I echo them on the destination page. The fact that you can echo the $_SESSION information on the same page and they contain the correct values suggest to me that the issue of MySQL/MSSQL is a red herring. I would look into things like the value for register_globals to make sure you don't have a global variable stepping on some of your session variables. Andrew
From: Peter Lind on 16 Sep 2010 12:03 On 16 September 2010 16:26, Cheryl Sullivan <csulliva(a)shh.org> wrote: > Absolutely - > > > > This is from the first page > > > > <?php > > $_SESSION['UserLastName'] = strtolower(trim($_POST['txtLastName'])); > > $_SESSION['BadgeID'] = trim($_POST['txtBadgeID']); > > > > //access MS SQL Server database > > $q1 = "select * from emps where emp_last = > '".$_SESSION['UserLastName']."' and emp_badge = > '".$_SESSION['BadgeID']."'"; > > $rs_emp_info = hitMSSQL($q1,"xxxx_sql","database","table","password",1); > > $_SESSION['SSN'] = $rs_emp_info->fields("emp_ssn"); > > $_SESSION['CostCenter'] = $rs_emp_info->fields("emp_costcenter"); > You're sticking values from $_POST into an SQL query without sanitizing them first. That spells out SQL INJECTION VULNERABILITY. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype>
From: Andrew Ballard on 16 Sep 2010 14:20 On Thu, Sep 16, 2010 at 10:26 AM, Cheryl Sullivan <csulliva(a)shh.org> wrote: [snip] > When I echo all five $_SESSION vars from here, they are all populated. > Then I can either redirect or form post to the next page. In either > case, the $_SESSION vars populated from SQL Server ( the SSN and Cost > Center vars) are blank when I echo them on the destination page. On Thu, Sep 16, 2010 at 2:12 PM, Cheryl Sullivan <csulliva(a)shh.org> wrote: > Tommy  - I ran phpinfo() but I don't see anything in it referencing > MSSQL or SQLSRV.  I have included all the references to "sql" I see > below, but the only references I see to databases are to mySQL and > SQLLite.  Unfortunately I don't have any control over how service-packed > the database server is.  Is there something in SP 4 for SQL Server 2000 > that is supposed to fix the issue I'm having, I may be able to plead my > case for getting the latest SP.  Is this the case, do you know? > [snip] Again, I ask - based on what you said earlier - are you sure this is even a database issue? You said that when you echo the values in your $_SESSION array AFTER reading them from the database they are there, and you only lose them on the next request after either a redirect or a manual form POST. If the values are getting into $_SESSION correctly within this page, your issue is not related to the database at all. Am I misunderstanding you? Andrew
From: Peter Lind on 16 Sep 2010 16:20
On 16 September 2010 20:03, Cheryl Sullivan <csulliva(a)shh.org> wrote: > We are actually running the query through a function that removes single > ticks, etc to avoid this, but I didn't think that was relevant to the > question so I didn't include it. Â Thanks, though! You're the one with the problem you don't understand, which means you don't get to make decisions as what is or is not relevant. Rather: you have no idea what seems relevant to us trying to pinpoint the error. That said, if - like Andrew points out - you see the values directly after storing them, then the problem is not database related. What exactly happens between the two pages and on the second page? Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype> |