Solved

How do I prevent Java image upload applet from destroying PHP session variables?

Posted on 2008-10-15
13
1,005 Views
Last Modified: 2013-12-13
Hello, this is my first post so I hope I have formatted this all properly.

I'm developing a website that uses PHP and MYSQL. User content is uploaded and stored based off of unique user id's stored as the PHP super global $_SESSION['user_id'];

An important part of this is FAST image upload. I downloaded a Java program called Thin Image Upload
http://upload.thinfile.com/image/ to handle the image uploads only whenever the applet uses upload.php all session variables are lost, the PHP upload script is attached.

If I point a regular HTML form to use this script it works fine, session variables are there; however, when the Java applet uses the code the session data gets lost, print_r($_SESSION) prints an empty array.

So somehow the Java is not talking to the PHP. I've even tried setting cookies in the upload.php script but those too get destroyed. I don't know Java, but my only idea is that I somehow need to preserve the session variable in Java somewhere and recover it in the PHP?

thanks for taking the time to look at this
-Brian
<?
session_start();
$uid = $_SESSION['user_id'];
 
print_r($_SESSION);
 
$save_path="img/";
$time = time();   
 
if($_FILES)
{
	$unique = 0;
	$pass = 0;
	$i = 0;
	$k = 0;
	$current = 1;
	$pass = 1;
	
	$file = $_FILES['userfile'];
	$k = count($file['name']);
	
	$unique = count(array_unique($_FILES['userfile']['name']));
	
	while($i<$k)
	{
		$name = $_FILES['userfile']['name'][$i];
		$url =  substr(sha1($_FILES['userfile']['name'] . rand()),0,12);
		
		if(isset($save_path) && $save_path!="")
		{
			move_uploaded_file($file['tmp_name'][$i], $save_path . $url . ".jpg");
			
			switch($pass)
			{
				case 1://original sql
					$sql = "INSERT INTO picture (picture_full, picture_author, picture_time) VALUES ('$url','$uid','$time')";
				 	$result = $this->db->query($sql);
				 	$pid = $this->db->insert_id();
				 	$_new[$pid] = $name;
				 	break;
				case 2://medium sized
					foreach($_new as $key => $value)
					{
						if($value == $name)
						{
							$pid = $key;
							$sql = "UPDATE picture SET picture_med = '$url' WHERE picture_id = '$pid'";
							$result = $this->db->query($sql);
						}
					}
					break;
				case 3://small sized
					foreach($_new as $key => $value)
					{
						if($value == $name)
						{
							$pid = $key;
							$sql = "UPDATE picture SET picture_small = '$url' WHERE picture_id = '$pid'";
							$result = $this->db->query($sql);
						}
					}
					break;
			}
			if($current >= $unique)
			{
				$pass++;
				$current = 1;
			}
			else $current++;
			$i++;
		}
	}
	echo $unique . " pictures successfully uploaded<br>";
}
 
 
//the applet.php part
 
<object type="application/x-java-applet;version=1.4.1"
width= "300" height= "309"  id="thin" name="Thin Upload">
<param name="archive" value="ThinImage.jar">
<param name="code" value="com.thinfile.upload.ThinImageUpload">
<param name="MAYSCRIPT" value="yes">
<param name="name" value="Thin Image Upload">
<param name="props_file" value="thinupload.php">

Open in new window

0
Comment
Question by:bperin42
13 Comments
 

Expert Comment

by:CodilX
ID: 22727076
why don't you try making the picture upload form in a popup? or maybe trying a different script for uploading
0
 

Author Comment

by:bperin42
ID: 22727352
Both scripts work fine, but the Java can't handle any session variables, making the Java applet open in a popup window yields the same results, empty sessions.
0
 

Expert Comment

by:larsson12
ID: 22738656
Hi

I have exactly the same problem with a self-written Java-Applet on one of many servers I'm using.

The applet does a URLConnection to a php-script on the server (same server as the applets is hosted on, which is necessary according to the java sandbox).

If I sets a session on the php-page the java-applet is started from, the session should then be available in the php-page that is called from within the applet.

The same script works perfectly on several other servers, but I can't figure out which php setting that is different on the problem-server...

I'm using exactly the same apache (Apache/2.2.3) and php-versions (5.2.0-8+etch11) on another server where it works perfectly. I have also checked all session settings which are presented with phpinfo() on the both servern and they are identical.

bperin42: Have you solved the problem ?

Anyone else having an idea ?

Thanks!

-- Anders
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Expert Comment

by:larsson12
ID: 22742550
Hi again...

I have solved the problem...

The session were destroyed by an installed php module called "suhosin", which is part of the "http://www.hardened-php.net/" project.

I deactivated the module and all works fine again.

I think the problem is that the user agent is different between the standard browser request and the request made by the java applet, and the suhosin module then destroyes the session, but I have verified this!

-- Anders
0
 

Author Comment

by:bperin42
ID: 22761687
how did you go about deactivating the module?
0
 

Expert Comment

by:larsson12
ID: 22761726
Hi

One way is to uninstall the entire suhosin module from the server or, as I did, just deactivted it's options in the virtual host for my domain with this in the Apache conf:

php_admin_value suhosin.session.cryptdocroot 0
php_admin_value suhosin.session.cryptua 0
php_admin_value suhosin.session.encrypt 0
0
 

Author Comment

by:bperin42
ID: 22763305
I appended these 3 lines to my httpd.conf file
php_admin_value suhosin.session.cryptdocroot 0
php_admin_value suhosin.session.cryptua 0
php_admin_value suhosin.session.encrypt 0

rebooted the server, but still those session variables are still being killed somewhere. Does it matter where I add the new lines for the config file?
0
 

Expert Comment

by:larsson12
ID: 22764830
I think the php_admin_value directives must be placed inside a virtual host directive in the apache conf.

Have you checked that you really has the "suhosin" module installed in apache ?

You can check this with <?php phpinfo(); ?> on a php-page.

With this code you can also check what the suhosin.session values are currently set to.
0
 

Author Comment

by:bperin42
ID: 22770633
Oh maybe I don't then, under the loaded modules section I have the following

core prefork http_core mod_so mod_auth_basic mod_auth_digest mod_authn_file mod_authn_alias mod_authn_anon mod_authn_dbm mod_authn_default mod_authz_host mod_authz_user mod_authz_owner mod_authz_groupfile mod_authz_dbm mod_authz_default util_ldap mod_authnz_ldap mod_include mod_log_config mod_logio mod_env mod_ext_filter mod_mime_magic mod_expires mod_deflate mod_headers mod_usertrack mod_setenvif mod_mime mod_dav mod_status mod_autoindex mod_info mod_dav_fs mod_vhost_alias mod_negotiation mod_dir mod_actions mod_speling mod_userdir mod_alias mod_rewrite mod_proxy mod_proxy_balancer mod_proxy_ftp mod_proxy_http mod_proxy_connect mod_cache mod_suexec mod_disk_cache mod_file_cache mod_mem_cache mod_cgi mod_perl mod_php5 mod_proxy_ajp mod_python mod_ssl

no suhosin, but your explanation makes so much sense that the Java applet is using a different user agent. Any other ideas on how to sync these two? I also tried to add a value to the $_FILES array before the actual upload happens but that got erased as well.
0
 

Expert Comment

by:larsson12
ID: 22774173
Ok, then it must be some other session setting which is set on your server, because in a standard php installation, the session will work fine.

If you can change the java code, you should be able to set the user agent with this call (if the HttpUrlConnection class is used):

conn.setRequestProperty ( "User-agent", "my agent name");
0
 

Author Comment

by:bperin42
ID: 22837644
Well I figured out a solution so i'll post it here in case anyone else runs into this problem.
Yes the problem was that the java code could not talk to php directly. Since I couldn't modify the code directly, but I did have access to the properties file which basically just sets up how the java code will run. Within this properties sheet it has a line that points to the url of the php upload script. So what I did was create an upload token in PHP and append it to the url. You could just append the user_id or whatever like

upload.php?uid=25 however people could mess with this.

So I used mysql to generate an UUID, this UUID was stored in a table in the DB indexed by the user_id
and then the UUID is returned

so i have upload.php?token=$uuid in the properties script

upload php then looks at this uuid token goes into the database and recovers the user_id which is then used to store the pictures information in the database.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 23580950
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

ScreenConnect 6.0 Free Trial

At ScreenConnect, partner feedback doesn't fall on deaf ears. We collected partner suggestions off of their virtual wish list and transformed them into one game-changing release: ScreenConnect 6.0. Explore all of the extras and enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article discusses four methods for overlaying images in a container on a web page
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question