How to pass Emails in Session Vars

Question

I understand the basics of $_SESSION vars in php. I currently have a site that passes several values to and from pages that manage SQL queries throughout. I ran into a new problem:

I am using an email address as a Primary Key in my users table. I wish to pass this email to a second page (once the additional infomration is gathered from the server) and dynamically load content when the links are selected. This is my setup for my problem:

//Data returned from server: // $FName = bob, $LName = rogers, $Email = bob@rogers.com

$_SESSION['userEmail'] = $Email;
$_SESSION['FirstName'] = $FName;
$_SESSION['LastName'] = $LName;

When I load the content on the second page, I recieve these values:

echo $_SESSION['userEmail'];  //bob@rogers_com !!!!! THIS is not correct
echo $_SESSION['FirstName'];  //bob
echo $_SESSION['LastName'];   //rogers

The email is gathered from a POST form on the page. it is the only value within the form. On the first page, I retrieve the email using end(array_keys($_POST)), which is where "$_SESSION['userEmail'] = $Email" comes from. It is, more specifially, :: $_SESSION['userEmail'] = end(array_keys($_POST))::

How do I make it so the Email is passed safely through the request without being transformed?

After further troubleshooting, I have been able to determine that this transformation occurs in the POST request of the form. When clicked the form is using the POST method, which is intercepted in PHP using if($_SERVER['REQUEST_METHOD'] == 'POST'){}, where I capture the array of values (in my case, just the one email) - where the email is now transformed.

PHP does not replace a `.` to a `_` on its own. You have more code going on here then you think. — Xorifelse, Nov 19 '16 at 05:32
I am not clear what you are asking . can you please explain more ? — Kanishka Panamaldeniya, Nov 19 '16 at 05:41
In contrast to what @Xorifelse said, that **is** unfortunately a default behavior in PHP. See http://stackoverflow.com/questions/68651/get-php-to-stop-replacing-characters-in-get-or-post-arrays — fuxia, Nov 19 '16 at 06:22
@toscho It still seems to translate `.` in a name to `_` in post / get, funny how you learn things after using this language in over 10 years. — Xorifelse, Nov 19 '16 at 06:36

Vasim Shaikh · Answer 1 · 2016-11-19T05:55:13.980

0

I have search and found this thing its work in Xampp localhost.This will be helpful.

/** 
     * Return parsed body in array format (without converting dots and spaces to underscore). 
     * @return array result parsed 
     */     
    function fetch_parsed_body_nodots() 
    { 
        function DANODOT($string) {  
             $bes1= explode("&", $string);  
             foreach ($bes1 as $bes2) { 
                 $bes2= explode("=",$bes2); 
                 list($kilil, $beha) = array_map("urldecode", $bes2); 
                 if(!empty($kilil)){ 
                     $te[$kilil] = $beha;  
                 } 
             } 
             return $te;  
        } 
        return DANODOT($this->result_body); 
    }

http://forum.directadmin.com/showthread.php?t=48001

edited Nov 19 '16 at 05:55

answered Nov 19 '16 at 05:44

Vasim Shaikh

4,485
2
23
52

I am not understanding the difference in your example. How would you transform bob@rogers_com to bob@rogers.com? – Jstngoulet Nov 19 '16 at 05:46
Unfortuneately, this function would not work if the email originally contained an underscore. For example, bob_rogers@rogers.com would be transformed into bob_rogers@rogers.com, then, using your method, would become, bobrogers@rogerscom – Jstngoulet Nov 19 '16 at 06:41
can you create utility.php? – Vasim Shaikh Nov 19 '16 at 06:44
revert you code,an print this one ,$email= substr($email, 0, strpos( $email, '')); – Vasim Shaikh Nov 19 '16 at 06:47
revert you code,an print this one ,$email= substr($email, 0, strpos( $email, '_')); It find last '_'. – Vasim Shaikh Nov 19 '16 at 07:07

score 0 · Answer 2 · answered Nov 19 '16 at 05:45

If you want use not transformed text such as hash, encode, etc, you can try use alternative key alternative to your email primary key.

You can take hit from auto_increment index key each row.

Before:

select * from users where email = 'johndoe@johndoe.com';

After:

select * from users where id = '1';

This is equals to:

select * from users where id in (select id from users where email = 'johndoe@johndoe.com');

Good luck.

score 0 · Accepted Answer · answered Nov 19 '16 at 06:38

I figured out a work-around:

When you have the email, you can replace the chars '.' with a different sequence of characters; this is something that would not be found in a usual email address. I found that -#- is a decent one that works (generally). This is how I did it:

$TempFormat = strtr($row['UserEmail'], array('.' => '-#-'))

Then, when I went to my if($_SERVER['REQUEST_METHOD'] == 'POST'){} function, i transformed the string back to it's (hopefully) original state by performing:

$OriginalFormat = strtr(end(array_keys($_POST)), array('-#-' => '.'))

What @toscho was referring to, is using a `.` char in the html input name attribute. As a value it should be parsed, untainted. — Xorifelse, Nov 19 '16 at 06:41

How to pass Emails in Session Vars

3 Answers3