tags:

views:

45

answers:

1
Q: 

Save to session - Does a cache mean the back end code doesn't always run?

Hello SO,

So for a bit of background, I am creating a website with the Zend Framework. There is a page where I am using AJAX to save a rating to my database. I obvious need the key for the store in order to know what store the rating is to be saved for.

In order to access the store for the page, the URL is MYSTORE.com/stores/2. The 2 is the store key, so it could be 13, 10, whatever. What my PHP script currently does is when it loads the page, it stores the store_id as a session. Then if they rate the store (all in JS), it will snag the store_id value from session, and combine them to send an insert to my database. So here's my problem.

Somewhere down the line, I'll probably want to cache to save my server some trouble. I have never used one before, and am worried that instead of running the script that saves the store_id to session, the page loads from the cache and never stores store_id. This would mean that the review could theoretically be saved to the wrong store. Is this a reasonable worry, and is there a way around this?

My other question is if there was maybe a better way to do it. I'm hesitant to place the store id into the JS or HTML since (at least I think) you can mess with the scripts through Firebug, or other web tools. I'd like my page to be secure. Is there a better way to do this?

I hope my question makes sense, and thank you in advance.

-Ethan

+1  A: 

My advice is don't solve a problem until you have a problem. When they load the page just put the movie ID in the URL, possibly with some sort of checksum or hash so someone can't just blanket upvote and downvote every ID.

There's no need to store this in the session. Just keep it in the database until you need to change it. Don't forget that sessions are file-based. Using them for performance gains is a little misguided. Just use them where appropriate.

Knuth said "premature optimization is the root of all evil" and that's what this looks like to me. You're right in that you greatly complicate your code by keeping an ID in the session and that can get out of sync with what the user is seeing (eg using the back button). Stick the ID in the Webpage and that problem is solved.

cletus  2009-10-18 01:07:31
That's is a fair point. This is my first website. Are security issues like this hugely important to worry about? Is it likely that some 4channer will come around and mess with my site because he can?
Ethan  2009-10-18 01:17:50
In my experience, you should just assume someone is going to mess with you so just take some trivial steps to avoid it, like putting sha1("secret string " + $user_id + " " + $movie_id) in the request to vote and then checking that when you receive it.
cletus  2009-10-18 01:20:18
That makes sense, thank you!
Ethan  2009-10-18 01:27:49

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases