BTW this is what the URL bar displays upon clicking the submit button: http://www.dockhawk.com/testphp.php?token=%3C%3Fphp+echo%0D%0A%24_SESSION[%27token%27]+%3F%3E&name=
On Oct 4, 9:56 pm, Lan Mind <[EMAIL PROTECTED]> wrote: > Hello again, > > At step 1: > > >In the "Session" section, verify it says "Session Support: Enabled" > > It is enabled. > > >In the list of directives look at "session.auto_start". If this is > > "Off", you will require session_start(); at the start of your php > pages. > > It is off but I recently did add the session_start() back to the > beginning of my PHP page and still had this current problem. > > In step 2, you said > > >"and view the source to ensure it contains the token (and maybe php > > session)" > > I'm not sure how to do that. I know how to view the source of web > pages: View>Page source in Firefox, it just displays the PHP as it was > authored. > > Next I went on to step 3. Valid Token processing and when I click the > submit button I get: > > Token in session [] > Token from URL [] > > Are they equal? No. > Invalid token. > ------------------------------------------------------------------ > Upon a reload I get: > > Token in session > [13c713c205bac341ccb02c4533560c3948e8470b135580.07243695] > Token from URL [] > > Are they equal? No. > Invalid token [] > > Here is the current page (IE is in quirks but FF and Chrome displayed > it ok): > > http://www.dockhawk.com/html.html > > I haven't moved on to step 4 and created a fake form yet. I'll keep > working at this. > > On Oct 4, 4:13 am, Lan Mind <[EMAIL PROTECTED]> wrote: > > > Thank you William, > > > It will take me a few days to try this because of work, but this I > > will do : ) > > > On Oct 4, 1:29 am, William <[EMAIL PROTECTED]> wrote: > > > > the technique seems to work on my PHP 4 server. Try the following > > > procedure. > > > > 1. Verify PHP Configuration > > > > make a simple php page that gets information about your server. If > > > you are worried about security delete this page after you've used it!! > > > ------------------------------------------------------------------------------- > > > <?php phpinfo() ?> > > > ------------------------------------------------------------------------------- > > > > In the "Session" section, verify it says "Session Support: Enabled" > > > > In the list of directives look at "session.auto_start". If this is > > > "Off", you will require session_start(); at the start of your php > > > pages. > > > > 2. Token Creation > > > > create a php form > > > ------------------------------------------------------------------------------- > > > <?php > > > session_start(); > > > $_SESSION['token'] = uniqid(md5(microtime()), true); > > > ?> > > > <html> > > > <head></head> > > > <body> > > > <form id= "search_form" method="get" action="testphp.php"> > > > <input type="hidden" name="token" value="<?php > > > echo > > > $_SESSION['token'] ?>" /> > > > <input type="text" name="name" value="" > > > maxlength="256" size="50" / > > > > <input type="submit" value="Search" /> > > > </form> > > > </body> > > > </html> > > > ------------------------------------------------------------------------------- > > > > and view the source to ensure it contains the token (and maybe php > > > session) > > > > <input type="hidden" name="PHPSESSID" > > > value="8c253b566571cb8c47e19c2037470878" /> > > > <input type="hidden" name="token" > > > value="28da62665aa59f2aac9fb14fbb9af4fb48e7216117fba0.52467232" /> > > > > 3. Valid Token processing > > > > create testphp.php > > > ------------------------------------------------------------------------------- > > > <?php > > > > session_start(); > > > > // get token variables > > > $token_session = $_SESSION['token']; > > > $token_url = $_GET['token']; > > > > // compare them > > > $comparison = $token_session == $token_url; > > > > // set the token to a new value to ensure it is only used once. > > > > $_SESSION['token'] = uniqid(md5(microtime()), true); > > > > echo 'Token in session [' . $token_session .']<br>'; > > > echo 'Token from URL [' . $token_url . ']<br><br>'; > > > echo 'Are they equal? ' . ($comparison ? 'Yes' : 'No') . '.<br>'; > > > > if (!$comparison) { > > > die('Invalid token.');} else { > > > > echo 'Valid token.'; > > > > } > > > > ?> > > > ------------------------------------------------------------------------------- > > > > Token in session > > > [28da62665aa59f2aac9fb14fbb9af4fb48e7216117fba0.52467232] > > > Token from URL > > > [28da62665aa59f2aac9fb14fbb9af4fb48e7216117fba0.52467232] > > > > Are they equal? Yes. > > > Valid token > > > > 4. Invalid Token processing > > > > (a) Refresh testphp.php and it should say "Invalid token" because > > > there's a new token in the session. > > > > (b) Press back button to get back to the php form, and resubmit it. > > > It might say "invalid token" if the php form has been cached on your > > > browser. > > > > (c) create a html file with a fake form: > > > ------------------------------------------------------------------------------- > > > > <html> > > > <head></head> > > > <body> > > > <form id= "search_form" method="get" action="testphp.php"> > > > <input type="hidden" name="token" value="blue" /> > > > <input type="text" name="name" value="" > > > maxlength="256" size="50" / > > > > <input type="submit" value="Search" /> > > > </form> > > > </body> > > > </html> > > > ------------------------------------------------------------------------------- > > > > This should say "invalid token" --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Maps API" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Maps-API?hl=en -~----------~----~----~----~------~----~------~--~---
