Context Navigation

source: trunk/include/functions_session.inc.php @ 21188

Last change on this file since 21188 was 20281, checked in by mistic100, 11 years ago
protect session data with pwg_db_real_escape_string
Property svn:eol-style set to `LF`
File size: 6.3 KB

Rev	Line
[2]	1	<?php
[362]	2	// +-----------------------------------------------------------------------+
[8728]	3	// \| Piwigo - a PHP based photo gallery \|
[2297]	4	// +-----------------------------------------------------------------------+
[19703]	5	// \| Copyright(C) 2008-2013 Piwigo Team http://piwigo.org \|
[2297]	6	// \| Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net \|
	7	// \| Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick \|
	8	// +-----------------------------------------------------------------------+
	9	// \| This program is free software; you can redistribute it and/or modify \|
	10	// \| it under the terms of the GNU General Public License as published by \|
	11	// \| the Free Software Foundation \|
	12	// \| \|
	13	// \| This program is distributed in the hope that it will be useful, but \|
	14	// \| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	15	// \| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU \|
	16	// \| General Public License for more details. \|
	17	// \| \|
	18	// \| You should have received a copy of the GNU General Public License \|
	19	// \| along with this program; if not, write to the Free Software \|
	20	// \| Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, \|
	21	// \| USA. \|
	22	// +-----------------------------------------------------------------------+
[2]	23
[1013]	24	// The function generate_key creates a string with pseudo random characters.
	25	// the size of the string depends on the $conf['session_id_size'].
	26	// Characters used are a-z A-Z and numerical values. Examples :
	27	// "Er4Tgh6", "Rrp08P", "54gj"
	28	// input : none (using global variable)
	29	// output : $key
	30	function generate_key($size)
	31	{
	32	global $conf;
	33
	34	$md5 = md5(substr(microtime(), 2, 6));
	35	$init = '';
	36	for ( $i = 0; $i < strlen( $md5 ); $i++ )
	37	{
	38	if ( is_numeric( $md5[$i] ) ) $init.= $md5[$i];
	39	}
	40	$init = substr( $init, 0, 8 );
	41	mt_srand( $init );
	42	$key = '';
	43	for ( $i = 0; $i < $size; $i++ )
	44	{
	45	$c = mt_rand( 0, 2 );
	46	if ( $c == 0 ) $key .= chr( mt_rand( 65, 90 ) );
	47	else if ( $c == 1 ) $key .= chr( mt_rand( 97, 122 ) );
	48	else $key .= mt_rand( 0, 9 );
	49	}
	50	return $key;
	51	}
	52
[1063]	53	if (isset($conf['session_save_handler'])
[1013]	54	and ($conf['session_save_handler'] == 'db')
[1063]	55	and defined('PHPWG_INSTALLED'))
[1007]	56	{
[1063]	57	session_set_save_handler('pwg_session_open',
[1007]	58	'pwg_session_close',
	59	'pwg_session_read',
	60	'pwg_session_write',
	61	'pwg_session_destroy',
	62	'pwg_session_gc'
	63	);
[1217]	64	if ( function_exists('ini_set') )
	65	{
	66	ini_set('session.use_cookies', $conf['session_use_cookies']);
	67	ini_set('session.use_only_cookies', $conf['session_use_only_cookies']);
	68	ini_set('session.use_trans_sid', intval($conf['session_use_trans_sid']));
[2757]	69	ini_set('session.cookie_httponly', 1);
[1217]	70	}
[1493]	71	session_name($conf['session_name']);
	72	session_set_cookie_params(0, cookie_path());
[4781]	73	register_shutdown_function('session_write_close');
[1004]	74	}
	75
[1010]	76	/**
	77	* returns true; used when the session_start() function is called
	78	*
	79	* @params not use but useful for php engine
	80	*/
[1063]	81	function pwg_session_open($path, $name)
[2]	82	{
[1004]	83	return true;
	84	}
[45]	85
[1010]	86	/**
	87	* returns true; used when the session is closed (unset($_SESSION))
	88	*
	89	*/
[1063]	90	function pwg_session_close()
[1004]	91	{
	92	return true;
[2]	93	}
[45]	94
[2521]	95	function get_remote_addr_session_hash()
	96	{
[18850]	97	global $conf;
	98
	99	if (!$conf['session_use_ip_address'])
	100	{
	101	return '';
	102	}
	103
[12119]	104	if (strpos($_SERVER['REMOTE_ADDR'],':')===false)
	105	{//ipv4
	106	return vsprintf(
	107	"%02X%02X",
	108	explode('.',$_SERVER['REMOTE_ADDR'])
	109	);
	110	}
	111	return ''; //ipv6 not yet
	112	}
[3166]	113
[1010]	114	/**
	115	* this function returns
[1063]	116	* a string corresponding to the value of the variable save in the session
[1010]	117	* or an empty string when the variable doesn't exist
[1063]	118	*
[1010]	119	* @param string session id
	120	*/
[1063]	121	function pwg_session_read($session_id)
[2]	122	{
[1007]	123	$query = '
[1063]	124	SELECT data
[1010]	125	FROM '.SESSIONS_TABLE.'
[2521]	126	WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
[1010]	127	;';
[1004]	128	$result = pwg_query($query);
[1063]	129	if ($result)
[1007]	130	{
[4325]	131	$row = pwg_db_fetch_assoc($result);
[1004]	132	return $row['data'];
[1063]	133	}
	134	else
[1007]	135	{
[1004]	136	return '';
[2]	137	}
	138	}
	139
[1010]	140	/**
[1063]	141	* returns true; writes set a variable in the active session
	142	*
[1010]	143	* @param string session id
	144	* @data string value of date to be saved
	145	*/
[1063]	146	function pwg_session_write($session_id, $data)
[2]	147	{
[1007]	148	$query = '
[2900]	149	REPLACE INTO '.SESSIONS_TABLE.'
[1010]	150	(id,data,expiration)
[20281]	151	VALUES(\''.get_remote_addr_session_hash().$session_id.'\',\''.pwg_db_real_escape_string($data).'\',now())
[1010]	152	;';
[2884]	153	pwg_query($query);
[1004]	154	return true;
	155	}
[808]	156
[1010]	157	/**
[1063]	158	* returns true; delete the active session
	159	*
[1010]	160	* @param string session id
	161	*/
[1063]	162	function pwg_session_destroy($session_id)
[1004]	163	{
[1007]	164	$query = '
[1063]	165	DELETE
[1010]	166	FROM '.SESSIONS_TABLE.'
[2521]	167	WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
[1010]	168	;';
[1004]	169	pwg_query($query);
	170	return true;
[2]	171	}
[45]	172
[1010]	173	/**
	174	* returns true; delete expired sessions
	175	* called each time a session is closed.
	176	*/
[1063]	177	function pwg_session_gc()
[45]	178	{
[1004]	179	global $conf;
	180
[1007]	181	$query = '
[1063]	182	DELETE
[1010]	183	FROM '.SESSIONS_TABLE.'
[6666]	184	WHERE '.pwg_db_date_to_ts('NOW()').' - '.pwg_db_date_to_ts('expiration').' > '
[1010]	185	.$conf['session_length'].'
	186	;';
[1004]	187	pwg_query($query);
	188	return true;
[45]	189	}
[1623]	190
	191
	192	/**
	193	* persistently stores a variable for the current session
	194	* currently we use standard php sessions but it might change
	195	* @return boolean true on success
	196	* @see pwg_get_session_var, pwg_unset_session_var
	197	*/
	198	function pwg_set_session_var($var, $value)
	199	{
	200	if ( !isset($_SESSION) )
	201	return false;
	202	$_SESSION['pwg_'.$var] = $value;
	203	return true;
	204	}
	205
	206	/**
	207	* retrieves the value of a persistent variable for the current session
	208	* currently we use standard php sessions but it might change
	209	* @return mixed
	210	* @see pwg_set_session_var, pwg_unset_session_var
	211	*/
	212	function pwg_get_session_var($var, $default = null)
	213	{
	214	if (isset( $_SESSION['pwg_'.$var] ) )
	215	{
	216	return $_SESSION['pwg_'.$var];
	217	}
	218	return $default;
	219	}
	220
	221	/**
	222	* deletes a persistent variable for the current session
	223	* currently we use standard php sessions but it might change
	224	* @return boolean true on success
	225	* @see pwg_set_session_var, pwg_get_session_var
	226	*/
	227	function pwg_unset_session_var($var)
	228	{
	229	if ( !isset($_SESSION) )
	230	return false;
	231	unset( $_SESSION['pwg_'.$var] );
	232	return true;
	233	}
	234
[3166]	235	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: