From 9410522e9f7d077bb4830158b6f01276a55276b3 Mon Sep 17 00:00:00 2001 From: nikrou Date: Wed, 18 Jan 2006 15:16:30 +0000 Subject: bug fix 261: improve security of sessions (next to svn:1004): - improve presentation code style - add upgrade database file git-svn-id: http://piwigo.org/svn/trunk@1007 68402e56-0260-453c-a942-63ccdbb3a9ee --- include/functions_session.inc.php | 82 ++++++++++++++++++++++++++------------- 1 file changed, 54 insertions(+), 28 deletions(-) (limited to 'include/functions_session.inc.php') diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php index 98a85c876..bc3bb12ca 100644 --- a/include/functions_session.inc.php +++ b/include/functions_session.inc.php @@ -25,20 +25,33 @@ // | USA. | // +-----------------------------------------------------------------------+ -if (isset($conf['session_save_handler']) and ($conf['session_save_handler'] == 'db')) { +if (isset($conf['session_save_handler']) + and ($conf['session_save_handler'] == 'db')) +{ session_set_save_handler('pwg_session_open', - 'pwg_session_close', - 'pwg_session_read', - 'pwg_session_write', - 'pwg_session_destroy', - 'pwg_session_gc' - ); + 'pwg_session_close', + 'pwg_session_read', + 'pwg_session_write', + 'pwg_session_destroy', + 'pwg_session_gc' + ); +} +if (isset($conf['session_use_cookies'])) +{ + ini_set('session.use_cookies', $conf['session_use_cookies']); +} +if (isset($conf['session_use_only_cookies'])) +{ + ini_set('session.use_only_cookies', $conf['session_use_only_cookies']); +} +if (isset($conf['session_use_trans_sid'])) +{ + ini_set('session.use_trans_sid', intval($conf['session_use_trans_sid'])); +} +if (isset($conf['session_name'])) +{ + ini_set('session.name', $conf['session_name']); } - -ini_set('session.use_cookies', $conf['session_use_cookies']); -ini_set('session.use_only_cookies', $conf['session_use_only_cookies']); -ini_set('session.use_trans_sid', $conf['session_use_trans_sid']); -ini_set('session.name', $conf['session_name']); function pwg_session_open($path, $name) { @@ -53,29 +66,39 @@ function pwg_session_close() function pwg_session_read($session_id) { - $query = "SELECT data FROM " . SESSIONS_TABLE; - $query .= " WHERE id = '$session_id'"; + $query = ' +SELECT data FROM '.SESSIONS_TABLE.' + WHERE id = \''.$session_id.'\''; $result = pwg_query($query); - if ($result) { + if ($result) + { $row = mysql_fetch_assoc($result); return $row['data']; - } else { + } + else + { return ''; } } function pwg_session_write($session_id, $data) { - $query = "SELECT id FROM " . SESSIONS_TABLE; - $query .= " WHERE id = '$session_id'"; + $query = ' +SELECT id FROM '.SESSIONS_TABLE.' + WHERE id = \''.$session_id.'\''; $result = pwg_query($query); - if (mysql_num_rows($result)) { - $query = "UPDATE " . SESSIONS_TABLE . " SET expiration = now()"; - $query .= " WHERE id = '$session_id'"; + if (mysql_num_rows($result)) + { + $query = ' +UPDATE '.SESSIONS_TABLE.' SET expiration = now() + WHERE id = \''.$session_id.'\''; pwg_query($query); - } else { - $query = "INSERT INTO " . SESSIONS_TABLE . " (id,data,expiration)"; - $query .= " VALUES('$session_id','$data',now())"; + } + else + { + $query = ' +INSERT INTO '.SESSIONS_TABLE.'(id,data,expiration) + VALUES(\''.$session_id.'\',\''.$data.'\',now())'; pwg_query($query); } return true; @@ -83,8 +106,9 @@ function pwg_session_write($session_id, $data) function pwg_session_destroy($session_id) { - $query = "DELETE FROM " . SESSIONS_TABLE; - $query .= " WHERE id = '$session_id'"; + $query = ' +DELETE FROM '.SESSIONS_TABLE.' + WHERE id = '.$session_id; pwg_query($query); return true; } @@ -93,8 +117,10 @@ function pwg_session_gc() { global $conf; - $query = "DELETE FROM " . SESSIONS_TABLE; - $query .= " WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(expiration) > " . $conf['session_length']; + $query = ' +DELETE FROM '.SESSIONS_TABLE.' + WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(expiration) > ' + .$conf['session_length']; pwg_query($query); return true; } -- cgit v1.2.3