request_var _sid and phpBB behavior and $_GLOBALS

Need some custom code changes to the phpBB core simple enough that you feel doesn't require an extension? Then post your request here so that community members can provide some assistance.

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
Post Reply
User avatar
axe70
Registered User
Posts: 146
Joined: Sun Nov 17, 2002 10:55 am
Location: Italy
Contact:

request_var _sid and phpBB behavior and $_GLOBALS

Post by axe70 » Fri Jan 18, 2019 2:52 pm

hello cool guys ... stupid considerations and questions:
so let say i need to check session_id of an user for some reason, and at one point, so i do this:

Code: Select all

$cks = request_var($config['cookie_name'] . '_sid', 0, false, true);
but this if i try to print out the string, return only first 4 chars of the sid that i assume is a phpBB security globals behavior.
In fact if i do this:

Code: Select all

if($cks != $user->data['session_id']){
	echo 'not equal';
}
This return correctly the result, but !== fail.
Can i assume that comparing in this way !=
all will return without any security issue? It's your opinion that values should maybe be "normalized" to be same type?

Anybody can indicate me where phpBB do the globals trick?

User avatar
kinerity
Community Team Member
Community Team Member
Posts: 2395
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Truscott
Contact:

Re: request_var _sid and phpBB behavior and $_GLOBALS

Post by kinerity » Sat Jan 19, 2019 1:30 am

axe70 wrote:
Fri Jan 18, 2019 2:52 pm

Code: Select all

if($cks != $user->data['session_id']){
	echo 'not equal';
}
This return correctly the result, but !== fail.
Can i assume that comparing in this way !=
all will return without any security issue? It's your opinion that values should maybe be "normalized" to be same type?
PHP does not support explicit type definition in variable declaration, it's determined by the context in which the variable is used.

$a != $b Not equal, TRUE if $a is not equal to $b after type juggling.
$a !== $b Not identical, TRUE if $a is not equal to $b, or they are not of the same type.

So there should be no problem (or "security issue") by using !=.
Kailey Truscott - Community Team

User avatar
kasimi
Extension Customisations
Extension Customisations
Posts: 3957
Joined: Sat Sep 10, 2011 7:12 pm
Location: Germany
Contact:

Re: request_var _sid and phpBB behavior and $_GLOBALS

Post by kasimi » Sat Jan 19, 2019 9:44 am

session_id is a string. The 2nd argument of request_var() needs to be ''.

When using 0 as 2nd argument, it casts the return value to an integer. I guess in your test scenario, the session ID happened to start with 4 digits. Pass the empty string and $cks will contain the full session ID.

User avatar
axe70
Registered User
Posts: 146
Joined: Sun Nov 17, 2002 10:55 am
Location: Italy
Contact:

Re: request_var _sid and phpBB behavior and $_GLOBALS

Post by axe70 » Sat Jan 19, 2019 4:55 pm

Thank you all!
Perfect with passing empty string!
That is. So how, asking myself (and maybe this is my third stupid question) if the value retrieved as int with request_var, comparing with == the comparison match?

@kasimi i can't believe you're here in reply because ...
i'm on releasing today or tomorrow my time at max, your phpBB mChat, fully integrated within WordPress!
Linked and fully working between phpBB and WP within phpBB wordpress plugin integration.
It can be added as widget anywhere in WordPress, and a shortcode also will be provided about this, in a second (short) time.
I would like to post somewhere when more later all will be ready, could i do this where?
May a post within this forum could be sufficient, will be my pleasure inform directly you!

EDITED: it was request_var not request_var

User avatar
kasimi
Extension Customisations
Extension Customisations
Posts: 3957
Joined: Sat Sep 10, 2011 7:12 pm
Location: Germany
Contact:

Re: request_var _sid and phpBB behavior and $_GLOBALS

Post by kasimi » Sat Jan 19, 2019 9:32 pm

axe70 wrote:
Sat Jan 19, 2019 4:55 pm
comparing with == the comparison match?

Code: Select all

1234 == '1234abcd'
1234 === (int) '1234abcd'
1234 === 1234
true

Code: Select all

1234 === '1234abcd'
false because of different types
axe70 wrote:
Sat Jan 19, 2019 4:55 pm
May a post within this forum could be sufficient
This forum is not meant for advertising finished products. Feel free to make a post in mChat's support section: https://www.phpbb.com/customise/db/exte ... on/support

User avatar
axe70
Registered User
Posts: 146
Joined: Sun Nov 17, 2002 10:55 am
Location: Italy
Contact:

Re: request_var _sid and phpBB behavior and $_GLOBALS

Post by axe70 » Sat Jan 19, 2019 9:52 pm

ops, yes because it was grabbed as an int.
Ok i will post directly into mod forum then! Thank you!

Post Reply

Return to “phpBB Custom Coding”