From: Ashley Sheridan on
On Thu, 2010-09-16 at 10:11 -0400, Cheryl Sullivan wrote:

> Hi there – I’m new to this news group. Any help with this is appreciated –
>
> When I populate session vars from a MYSQL query, they are still there when I change pages. If I populate them from an MSSQL query, they drop.
>
> It doesn't matter if I get to the next page using a header redirect or a form submit. I have two session vars I'm loading from a MYSQL query and they remain, the two loaded from MSSQL disappear.
>
> I have confirmed that all four session vars are loading ok initially and I can echo them out to the page, but when the application moves to the next page via redirect or form submit, the two vars loaded from MSSQL are empty..
>
> Any ideas?
>
>
> Cheryl L. Sullivan
> Interface Analyst / Web Developer
>
> Sacred Heart Hospital (www.shh.org)
> 421 Chew Street • Allentown, PA 18102
> Office: 610-776-4784 • Cell: 484-544-2416
>  Please consider the environment before printing this e-mail
>
>
>
> Notice: This communication, including attachments, may contain information that is confidential and protected. It constitutes non-public information intended to be conveyed only to the designated recipient(s). If you believe that you have received this communication in error, please notify the sender immediately by return e-mail and promptly delete this e-mail, including attachments without reading or saving them in any manner. The unauthorized use, dissemination, distribution, or reproduction of this e-mail, including attachments, is prohibited and may be unlawful. Thank you.
>
>


There should be no difference. Can we see some examples of the MySQL and
the MSSQL code to see what you're doing differently?

Thanks,
Ash
http://www.ashleysheridan.co.uk


From: Andrew Ballard on
On Thu, Sep 16, 2010 at 10:26 AM, Cheryl Sullivan <csulliva(a)shh.org> wrote:
> Absolutely -
>
> This is from the first page
>
> <?php
>
> $_SESSION['UserLastName'] = strtolower(trim($_POST['txtLastName']));
>
> $_SESSION['BadgeID'] = trim($_POST['txtBadgeID']);
>
> //access MS SQL Server database
>
> $q1 = "select * from emps where emp_last =
> '".$_SESSION['UserLastName']."' and emp_badge =
> '".$_SESSION['BadgeID']."'";
>
> $rs_emp_info = hitMSSQL($q1,"xxxx_sql","database","table","password",1);
>
> $_SESSION['SSN'] = $rs_emp_info->fields("emp_ssn");
>
> $_SESSION['CostCenter'] = $rs_emp_info->fields("emp_costcenter");
>
> //access mySQL database
>
> $cnx = mysql_connect("localhost","userID","password");
>
> $db = mysql_select_db("database_name");
>
> $q1 = "select * from tblmainempreport where empUUID =
> 'sdfsfs920090528131'";
>
> $result = mysql_query($q1);
>
> $recArray = mysql_fetch_array($result);
>
> $_SESSION['empFName'] = $recArray['EmpFName'];
>
> ?>
>
>
>
> When I echo all five $_SESSION vars from here, they are all populated.
> Then I can either redirect or form post to the next page.  In either
> case, the $_SESSION vars populated from SQL Server ( the SSN and Cost
> Center vars) are blank when I echo them on the destination page.

The fact that you can echo the $_SESSION information on the same page
and they contain the correct values suggest to me that the issue of
MySQL/MSSQL is a red herring. I would look into things like the value
for register_globals to make sure you don't have a global variable
stepping on some of your session variables.

Andrew
From: Peter Lind on
On 16 September 2010 16:26, Cheryl Sullivan <csulliva(a)shh.org> wrote:
> Absolutely -
>
>
>
> This is from the first page
>
>
>
> <?php
>
> $_SESSION['UserLastName'] = strtolower(trim($_POST['txtLastName']));
>
> $_SESSION['BadgeID'] = trim($_POST['txtBadgeID']);
>
>
>
> //access MS SQL Server database
>
> $q1 = "select * from emps where emp_last =
> '".$_SESSION['UserLastName']."' and emp_badge =
> '".$_SESSION['BadgeID']."'";
>
> $rs_emp_info = hitMSSQL($q1,"xxxx_sql","database","table","password",1);
>
> $_SESSION['SSN'] = $rs_emp_info->fields("emp_ssn");
>
> $_SESSION['CostCenter'] = $rs_emp_info->fields("emp_costcenter");
>

You're sticking values from $_POST into an SQL query without
sanitizing them first. That spells out SQL INJECTION VULNERABILITY.

Regards
Peter

--
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
</hype>
From: Andrew Ballard on
On Thu, Sep 16, 2010 at 10:26 AM, Cheryl Sullivan <csulliva(a)shh.org> wrote:
[snip]
> When I echo all five $_SESSION vars from here, they are all populated.
> Then I can either redirect or form post to the next page. In either
> case, the $_SESSION vars populated from SQL Server ( the SSN and Cost
> Center vars) are blank when I echo them on the destination page.

On Thu, Sep 16, 2010 at 2:12 PM, Cheryl Sullivan <csulliva(a)shh.org> wrote:
> Tommy  - I ran phpinfo() but I don't see anything in it referencing
> MSSQL or SQLSRV.  I have included all the references to "sql" I see
> below, but the only references I see to databases are to mySQL and
> SQLLite.  Unfortunately I don't have any control over how service-packed
> the database server is.  Is there something in SP 4 for SQL Server 2000
> that is supposed to fix the issue I'm having, I may be able to plead my
> case for getting the latest SP.  Is this the case, do you know?
>
[snip]

Again, I ask - based on what you said earlier - are you sure this is
even a database issue? You said that when you echo the values in your
$_SESSION array AFTER reading them from the database they are there,
and you only lose them on the next request after either a redirect or
a manual form POST. If the values are getting into $_SESSION correctly
within this page, your issue is not related to the database at all.

Am I misunderstanding you?

Andrew
From: Peter Lind on
On 16 September 2010 20:03, Cheryl Sullivan <csulliva(a)shh.org> wrote:
> We are actually running the query through a function that removes single
> ticks, etc to avoid this, but I didn't think that was relevant to the
> question so I didn't include it.  Thanks, though!

You're the one with the problem you don't understand, which means you
don't get to make decisions as what is or is not relevant. Rather: you
have no idea what seems relevant to us trying to pinpoint the error.

That said, if - like Andrew points out - you see the values directly
after storing them, then the problem is not database related. What
exactly happens between the two pages and on the second page?

Regards
Peter

--
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
</hype>