Page 1 of 1

request_var _sid and phpBB behavior and $_GLOBALS

Posted: Fri Jan 18, 2019 2:52 pm
by axe70
hello cool guys ... stupid considerations and questions:
so let say i need to check session_id of an user for some reason, and at one point, so i do this:

Code: Select all

$cks = request_var($config['cookie_name'] . '_sid', 0, false, true);
but this if i try to print out the string, return only first 4 chars of the sid that i assume is a phpBB security globals behavior.
In fact if i do this:

Code: Select all

if($cks != $user->data['session_id']){
	echo 'not equal';
}
This return correctly the result, but !== fail.
Can i assume that comparing in this way !=
all will return without any security issue? It's your opinion that values should maybe be "normalized" to be same type?

Anybody can indicate me where phpBB do the globals trick?

Re: request_var _sid and phpBB behavior and $_GLOBALS

Posted: Sat Jan 19, 2019 1:30 am
by kinerity
axe70 wrote:
Fri Jan 18, 2019 2:52 pm

Code: Select all

if($cks != $user->data['session_id']){
	echo 'not equal';
}
This return correctly the result, but !== fail.
Can i assume that comparing in this way !=
all will return without any security issue? It's your opinion that values should maybe be "normalized" to be same type?
PHP does not support explicit type definition in variable declaration, it's determined by the context in which the variable is used.

$a != $b Not equal, TRUE if $a is not equal to $b after type juggling.
$a !== $b Not identical, TRUE if $a is not equal to $b, or they are not of the same type.

So there should be no problem (or "security issue") by using !=.

Re: request_var _sid and phpBB behavior and $_GLOBALS

Posted: Sat Jan 19, 2019 9:44 am
by kasimi
session_id is a string. The 2nd argument of request_var() needs to be ''.

When using 0 as 2nd argument, it casts the return value to an integer. I guess in your test scenario, the session ID happened to start with 4 digits. Pass the empty string and $cks will contain the full session ID.

Re: request_var _sid and phpBB behavior and $_GLOBALS

Posted: Sat Jan 19, 2019 4:55 pm
by axe70
Thank you all!
Perfect with passing empty string!
That is. So how, asking myself (and maybe this is my third stupid question) if the value retrieved as int with request_var, comparing with == the comparison match?

@kasimi i can't believe you're here in reply because ...
i'm on releasing today or tomorrow my time at max, your phpBB mChat, fully integrated within WordPress!
Linked and fully working between phpBB and WP within phpBB wordpress plugin integration.
It can be added as widget anywhere in WordPress, and a shortcode also will be provided about this, in a second (short) time.
I would like to post somewhere when more later all will be ready, could i do this where?
May a post within this forum could be sufficient, will be my pleasure inform directly you!

EDITED: it was request_var not request_var

Re: request_var _sid and phpBB behavior and $_GLOBALS

Posted: Sat Jan 19, 2019 9:32 pm
by kasimi
axe70 wrote:
Sat Jan 19, 2019 4:55 pm
comparing with == the comparison match?

Code: Select all

1234 == '1234abcd'
1234 === (int) '1234abcd'
1234 === 1234
true

Code: Select all

1234 === '1234abcd'
false because of different types
axe70 wrote:
Sat Jan 19, 2019 4:55 pm
May a post within this forum could be sufficient
This forum is not meant for advertising finished products. Feel free to make a post in mChat's support section: https://www.phpbb.com/customise/db/exte ... on/support

Re: request_var _sid and phpBB behavior and $_GLOBALS

Posted: Sat Jan 19, 2019 9:52 pm
by axe70
ops, yes because it was grabbed as an int.
Ok i will post directly into mod forum then! Thank you!