request_var _sid and phpBB behavior and $_GLOBALS

axe70 · Post by **axe70** » Fri Jan 18, 2019 2:52 pm

hello cool guys ... stupid considerations and questions:
so let say i need to check session_id of an user for some reason, and at one point, so i do this:

Code: Select all

$cks = request_var($config['cookie_name'] . '_sid', 0, false, true);

but this if i try to print out the string, return only first 4 chars of the sid that i assume is a phpBB security globals behavior.
In fact if i do this:

Code: Select all

if($cks != $user->data['session_id']){
	echo 'not equal';
}

This return correctly the result, but !== fail.
Can i assume that comparing in this way !=
all will return without any security issue? It's your opinion that values should maybe be "normalized" to be same type?

Anybody can indicate me where phpBB do the globals trick?

Post by **kinerity** » Sat Jan 19, 2019 1:30 am

axe70 wrote: ↑
Fri Jan 18, 2019 2:52 pm
Code: Select all
if($cks != $user->data['session_id']){
	echo 'not equal';
}
This return correctly the result, but !== fail.
Can i assume that comparing in this way !=
all will return without any security issue? It's your opinion that values should maybe be "normalized" to be same type?

PHP does not support explicit type definition in variable declaration, it's determined by the context in which the variable is used.

$a != $b Not equal, TRUE if $a is not equal to $b after type juggling.
$a !== $b Not identical, TRUE if $a is not equal to $b, or they are not of the same type.

So there should be no problem (or "security issue") by using !=.

Post by **kasimi** » Sat Jan 19, 2019 9:44 am

session_id is a string. The 2nd argument of request_var() needs to be ''.

When using 0 as 2nd argument, it casts the return value to an integer. I guess in your test scenario, the session ID happened to start with 4 digits. Pass the empty string and $cks will contain the full session ID.

axe70 · Post by **axe70** » Sat Jan 19, 2019 4:55 pm

Thank you all!
Perfect with passing empty string!
That is. So how, asking myself (and maybe this is my third stupid question) if the value retrieved as int with request_var, comparing with == the comparison match?

@kasimi i can't believe you're here in reply because ...
i'm on releasing today or tomorrow my time at max, your phpBB mChat, fully integrated within WordPress!
Linked and fully working between phpBB and WP within phpBB wordpress plugin integration.
It can be added as widget anywhere in WordPress, and a shortcode also will be provided about this, in a second (short) time.
I would like to post somewhere when more later all will be ready, could i do this where?
May a post within this forum could be sufficient, will be my pleasure inform directly you!

EDITED: it was request_var not request_var

Post by **kasimi** » Sat Jan 19, 2019 9:32 pm

axe70 wrote: ↑
Sat Jan 19, 2019 4:55 pm
comparing with == the comparison match?

Code: Select all

1234 == '1234abcd'
1234 === (int) '1234abcd'
1234 === 1234
true

Code: Select all

1234 === '1234abcd'
false because of different types

axe70 wrote: ↑
Sat Jan 19, 2019 4:55 pm
May a post within this forum could be sufficient

This forum is not meant for advertising finished products. Feel free to make a post in mChat's support section: https://www.phpbb.com/customise/db/exte ... on/support

axe70 · Post by **axe70** » Sat Jan 19, 2019 9:52 pm

ops, yes because it was grabbed as an int.
Ok i will post directly into mod forum then! Thank you!

advertisements