On Thu, Feb 14, 2008 at 9:23 AM, Hiep Nguyen <[EMAIL PROTECTED]> wrote:
> On Fri, 8 Feb 2008, Per Jessen wrote: > > > Hiep Nguyen wrote: > > > >> let say that user searched and found 10 records, > >> in the meantime, other users may change any of these 10 records, > >> so if we saved mysql statement and re-run mysql statement again, the > >> result might be different. to prevent this problem, i only want to > >> download records that returned on this page only. > > > > This is more of a caching issue - then you determine how long you want > > to keep the results for, and only re-run the mysql query when the > > results have gone stale. > > > > > > /Per Jessen, Zürich > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > in the last couple days, i've looked into php $_SESSION and kinda get the > concept. my question is can i use $_SESSION to store mysql statement? > what is the pro/con to store mysql statement in $_SESSION? > with $_COOKIE, i can use setrawcookie to avoid urlencoding. is ther > anything similar in $_SESSION? > > thanks, > t. hiep > > You can easily store a SQL statement in $_SESSION since the statement is just a string. Are you asking if you can store the *result* of the statement execution in $_SESSION? You shouldn't store the SQL statement in cookies. It gives the end user way too much insight into your DB implementation if they can see the actual statement that you will be issuing to the database and it's an even bigger security risk for SQL injection than simply using raw, unescaped form input in a statement without validation! The attacker doesn't even have to think how to create a parameter to escape out of your statement - they can send you "DELETE FROM mysql.user" or any other wonderful thing they like. Granted, your script should not be using a db user account that has privileges to execute such a statement, but that should give you a clue that this would be a VERY bad idea. URL encoding/decoding isn't really an issue with sessions since the session data is stored internally on the server and does not have to be urlencoded to be sent between the server and the browser in an HTTP header. Andrew
