filter_input for session variables

Question

Is there some equivalent of filter_input I can use with $_SESSION as I would with $_POST ?

When I tried it gives the error :

Warning: filter_input(): INPUT_SESSION is not yet implemented

session_start();
$x=filter_input(INPUT_SESSION, 'x');
if ($x){
    echo $x;
}

php version: PHP Version 5.5.12-1+deb.sury.org~precise+1

Answer 1

I have the same problem like you. Maybe we are so rigorous but I solved the problem without compromising any security/filter.

I used filter_var instead of filter_input .

an example is like this:

session_start();
$_SESSION['baba'] = "co";
$ses = filter_var($_SESSION['baba']);
if (!empty($ses)) {
    echo $ses;
}

Answer 2

Seems like $_SESSION doesnt work the same that $_SERVER. After many combinations i had a similar issue. I'll leave some of my code after fixing so you can see the difference:

Here is the original code with warnings due to direct access to these variables

if  (   (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] == false) ||
        ($_SESSION['REMOTE_ADDR'] != $_SERVER['REMOTE_ADDR']) ||
        (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] == false) || 
        ($_SESSION['HTTP_USER_AGENT'] != $_SERVER['HTTP_USER_AGENT']) 
    ) {
    header("Location: ../login.php");
}

Below is the code after including filters and cleared warnings

if  (   (!isset($_SESSION['loggedin']) || (filter_var($_SESSION['loggedin']) == false)) ||
        (filter_var($_SESSION['REMOTE_ADDR']) != filter_input(INPUT_SERVER,'REMOTE_ADDR')) ||
        (!isset($_SESSION['loggedin']) || (filter_var($_SESSION['loggedin']) == false)) || 
        (filter_var($_SESSION['HTTP_USER_AGENT']) != filter_input(INPUT_SERVER,'HTTP_USER_AGENT') ) 
    ) {
    header("Location: ../login.php");
}