ansaurus

Question

How to use sessions in place of a querystring

Answer 1

+2 A:

UPDATED (Again ... Yeah, I know.)

Allowing access to a particular set of data through a $_GET parameter is much more accessible to any user that happens to be using the application.

UPDATED

For storing a private record key, you are probably going to want to use post data, and if you really want it to look like a link, you can always use CSS for that part.

Honestly, the best way to stop people from reading other people's mail is by having a relationship table that says only X person is able to access Y email (by id). That or have a field that says who is the 'owner' of the email.

The fact is that users can still get access to POST parameters, and can easily forge their own POST parameters. This means that anyone could realistically access anyone else's email if they knew the naming scheme.

In an ideal system, there would be a Sender, and a Recipient (The Recipient could be comma separated values). Only the people that are on one of those columns should be allowed to access the email.

How To Use Sessions (From Earlier)

First start off with calling session_start(), and then after that check for variables from previous scripts. If they aren't present, generate them. If they are, grab them and use them.

session_start();

if(!isset($_SESSION['db_key']))
{
    $_SESSION['db_key'] = // generate your database key
}
else
{
    $db_key = $_SESSION['db_key'];
}

Sessions are stored in the $_SESSION array. Whenever you want to use $_SESSION, you need to call session_start() FIRST and then you can assign or grab anything you like from it.

When you want to destroy the data, call session_destroy();

Also check out php.net's section on Sessions

Chacha102 2009-07-23 03:36:34

Hi Chacha102. Thanks for the hand. The database key always exists and is basically for viewing the data. So, if I'm using a foreach to list out the rows in my html form, I would generally incluse a link that the user can click. That database key needs to be included in the link to show the user the proper row of data. I'm not seeing how I can use your code to so this. Am I wrong?

2009-07-23 03:42:28

Is the Database key unqiue to the user or the individual call? Meaning: Is the user tied to that specific row?

Chacha102 2009-07-23 03:44:31

If a User should always see the same record, then you can store that record key in the SESSION and instead of including it in the link, just store it in the session so whenever the user goes to that page, they see the same data.

Chacha102 2009-07-23 03:45:27

If a User can see different sets of data, then it is probably best to include the key in the URL using an acceptable string.

Chacha102 2009-07-23 03:46:40

Chacha102, the key is unique and would point to a specific record that the user wants to see. I'm also going to post some additional info above in my OP

2009-07-23 03:48:08

Thanks Chacha. I currently have the message related in the database and have a check function that makes sure that the person that is trying to view the message is in fact the owner. That seems to be working well but after looking at the long querystring, I couldn't help but wonder if there was a better way to do this all together. It seems as though I'm on the right track though. Thanks for all your help and suggestions.

2009-07-23 03:58:57

You have 2,000 characters in the query string, honestly. Google uses almost all of them for Gmail. If you want it to be shorter, use a numerical ID instead of a string. That also is faster for MySQL to process.

Chacha102 2009-07-23 04:01:02

Query Strings allow messages to be bookmarked, copy/pasted for person usage, etc. Requiring them to get a message through a form/session data is a big usability problem.

Chacha102 2009-07-23 04:01:56

Ok, you sold me on it. I was also leaning towards leaving the system as it is. I mean, I have programmed in all the checkes I could to ensure security and I think that's about all I can do. I certainly don't need any usability issues popping up later. BTW: This system isn't going to be used on the net at all, it's just going to be used locally.

2009-07-23 04:06:55

You see that Checkbox next to the Up/Down Arrows? Click it next to my Answer! lol. Glad I could help.

Chacha102 2009-07-23 04:07:53

Thanks again! ;) Actually, thanks to all.

2009-07-23 04:11:05

Answer 2

A:

There are some examples on how to use $_SESSION on php.

Registering a variable with $_SESSION

Freddy 2009-07-23 03:39:25

Answer 3

A:

Your question isn't too clear to me, but I understand it like this:

You need some variables to decide what is being displayed on the page. These variables are being passed in the URL. So far so good, perfectly normal. Now you want to hide these variables and save them in the session?

Consider this: Right now, every page has a unique URL.

http://mysite.com/page?var1=x&amp;var2=y

displays a unique page. Whenever you visit the above URL, you'll get the same page.

What you're asking for, if I understand correctly, is to use one URL like

http://mysite.com/page

without variables, yet still get different pages? That's certainly possible, but that means you'll need to keep track of what the user is doing on the server. I.e. "user clicked on 'Next Page', the last time I saw him he was on page X, so he should now be on page Y, so when he's requesting the site the next time, I'll show him page Y."

That's a lot of work to do, and things can get awkward quickly if the user starts to use the back button. I don't think this is a good idea.

If you need to take sensitive information out of the URL, obfuscate them somehow (hashes) or use alternative values that don't have any meaning by themselves.

It completely depends on your application of course, if the user is accumulating data over several pages, Sessions are the way to go obviously. Can you be a bit more descriptive on what your app is doing?

Edit:

but the problem is that I don't want people to change the number and read other people's mail

If your primary concern is security, that's the wrong way to do it anyway. Security through obscurity is not gonna work. You need to explicitly check if a user is allowed to see a certain piece of info before displaying it to him, not just relying on him not guessing the right id.

deceze 2009-07-23 03:41:47

I think you're right about not being a good idea, I'm starting to see that now. You understood what I was trying to do. :) Thanks for the help. I'm also going to post a bit more info above; it may help people understand a little better.

2009-07-23 03:47:00

An upvote and maybe even accepting my answer would be awesome then. :-P

deceze 2009-07-23 03:51:22

Thanks again. I'm currently checking to make sure that the user that is trying to view the message is in fact the owner if not, they get an error message; that is working fine but I really just wanted to do away with the q-strings if possible. I already tried to vote your answer up but it tells me to register. :/

2009-07-23 04:03:12

Answer 4

A:

The issue with using sessions for using it in place of S$_GET or $_POST is that you need some way to read the user's input so that you can store it in the session, and you need a way to trigger a page refresh. Traditional means is via hyperlinks, which defaults to GET (unless you use Javascript) or forms, which defaults to POST.

Maybe ajax will help you here. Once the user has enter info into a form or a checkbox, use JS to send a request to insert the info to the PHP and send info back, whether it is to refresh the page or to fill a with content.

Hope this helps

Extrakun 2009-07-23 03:48:32

Hey Extrakun, thanks for the help. Your right and that is where I am hung up. I don't know how to echo the data in the form yet hide it when it is posted. AJAX is a solution but I know absolutely NO js at all. I love what it can do but I have wasted so much time in the past trying to figure it out that I decided not to use it in this app.

2009-07-23 03:54:01

ansaurus

tags:

views:

answers:

How to use sessions in place of a querystring

related questions