Is it a bad idea to store a raw sql query in a php session variable for later use? Does this present any security issues?
A:
it's not very clever to offer your sql structure to everyone. If you do this, care about escaping your querys. If you do not, there is danger of SQL-Injection (http://en.wikipedia.org/wiki/SQL_injection)
Tobias Bambullis
2010-10-27 13:07:04
+3
A:
In general, the session data is stored in a file in the server’s file system (see session.save_handler and session.save_path). If you protect that session data (e.g. by protecting the directory to be accessible only by PHP or your web server), you can put sensible data into your session.
Note that if you’re on a shared host, it’s very probably that all users on that shared host have access to that session data directory. In that case you should either change that directory to one that only you have access to or change the session save handler to store the session data in your personal database or somewhere else.
Gumbo
2010-10-27 13:23:23
A:
PHP session variables are stored on the server; The browser is only given a key for that data. The server generates this key randomly and associates the session data with that key. When the client requests for a page, the session mechanism matches the key to the data and thus knows who the client is. The data itself is never exposed to the client, only the key is, so you're safe.
Core Xii
2010-10-27 13:25:18
+1
A:
It is theoretically a 'safe' practice, but not generally advisable. It is safe if you protect your session data correctly, however as a rule of thumb, I would say you shouldn't really do it in most cases.
Is there a reason you cannot re-generate this SQL when it is later needed? Perhaps your methodology is wrong, or you are not re-using your application code enough.
More specific details and perhaps example code for your distinct circumstance will yield a better response.
Craige
2010-10-27 13:35:50