Re: Sessions and serializing (was: Checking data inserted - Mailing list pgsql-php
From | Chris |
---|---|
Subject | Re: Sessions and serializing (was: Checking data inserted |
Date | |
Msg-id | 002001c43efd$9d893740$0d00a8c0@chris Whole thread Raw |
In response to | Re: Sessions and serializing (was: Checking data inserted (Lynna Landstreet <lynna@gallery44.org>) |
List | pgsql-php |
Hey Lynna, > Oh, and one more question I forgot. If session_start and/or adding variables to $_SESSION does result in setting a cookie automatically, does that mean it has to be done at the beginning of the script, before any output, like with setcookie? Yes - you need to do a session_start() before any output gets sent. See http://www.php.net/session_start for a bit more info about it.. >> You won't need to use unserialize and serialize per page if you're >> going to use sessions - you only need those if you're going to pass >> the values in a URL or in a hidden form field. >> >> For sessions, you can simply >> $my_array = array('1','2','3','4','5'); >> $_SESSION['blah'] = $my_array; >> >> sort of thing.. >OK. So if I'm just saving things into the $_SESSION array, I don't need to use serialize? Correct. >Most of the tutorials say that you can either pass session ids through the URL or through cookies, and that using cookies is better for security reasons. I'm OK with cookies because only a limited number of people will be using the admin system I'm setting up and I can tell them they have to have cookies enabled. It's not a part of the site that will be accessible to the general public. And from the sounds of it the cookie is set automatically without my having to do it with setcookie - right? Yep. Everything gets stored on the server in the session_save_path directory (you can set this yourself in your scripts - see http://www.php.net/session_save_path :) >But the thing that's confusing me now is that apparently in 4.2, --enable-trans-id is on by default, and that makes it automatically put the session ID in the URLs of relative links, unless I've misunderstood what it does? If passing the SID via URL is supposed to be bad from a security standpoint, is there some way I can make it not do this? Bearing in mind that I'm on a shared host so I can't mess with their overall PHP configuration? Or am I worrying about this too much? If it's a worry you can turn it off - http://www.php.net/ini_set - look for session.use_trans_sid . Since it's a PHP_INI_SYSTEM|PHP_PER_DIR you can change it in a .htaccess file ... >>> But according to one of the user comments in the manual I have to use >>> addslashes() and stripslashes() if I want to be able to put the data >> into the database after unserializing it - is that right? >> Yep. So you'll need to do >> $value = addslashes(serialize($real_value)); >> and use $value in your query... >> Then when you fetch out >> $real_value = unserialize(stripslashes($value)); >And that's only if I'm putting the session itself into a form field or database, right? Yep. >If I extract the values from the $_SESSION array at the end of the update process and insert them into the database then, having just used cookies to store it in the meantime, then it doesn't need this? Or does it? It depends :) eg dob could be stored as an array - $dob = array('dd' => '01', 'mm' => '01', 'yy' => '1970'); then you'll need to serialize it before saving it.. If you want the values saved separately, then no you won't (eg q1 = 'y', q2 = 'blah' etc etc). HTH. Chris.