[PHP-DB] Problem using session bu submitting the session id through a form
Hi, My session only seems to work when I use the link-tag (like a href=nextpage.php?PHPSESSIONID=blahblahblah/a But when I send the sessionid within a form in a hidden tag (input type=hidden name=phpsessionid value=blahblah) the session stops. For my session working correct i have to send my sessionid at every link and at every submit. My question now is, how can i send the sessionid by using a form and not by putting the sessionid in the a-tag? Greetz Henk Jan -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Problem using session bu submitting the session id through a form
Hi, Not certain what is happening try the following script. On my machine the form retains the session ID. Note the sending the ID as a GET is only done for cross checking. You can remove it and there will be no change in the display. ?php session_start(); ? html body ?php $id = session_id(); echo $id ? form action=test1.php??php echo $id? method=post input type=submit/form /body /html If you run this and don't get the session ID being maintained then there would appear to be some problem with your set up but we'll probably require more info OS php version etc. graeme. Henk Jan Wils wrote: Hi, My session only seems to work when I use the link-tag (like a href=nextpage.php?PHPSESSIONID=blahblahblah/a But when I send the sessionid within a form in a hidden tag (input type=hidden name=phpsessionid value=blahblah) the session stops. For my session working correct i have to send my sessionid at every link and at every submit. My question now is, how can i send the sessionid by using a form and not by putting the sessionid in the a-tag? Greetz Henk Jan -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Problem using session bu submitting the session id througha form
thanx, i did use the GET method to send a form. with the POST i works!!! thanks again! - Original Message - From: graeme [EMAIL PROTECTED] To: Henk Jan Wils [EMAIL PROTECTED] Cc: php-db@lists.php.net Sent: Saturday, January 08, 2005 11:36 AM Subject: Re: [PHP-DB] Problem using session bu submitting the session id througha form Hi, Not certain what is happening try the following script. On my machine the form retains the session ID. Note the sending the ID as a GET is only done for cross checking. You can remove it and there will be no change in the display. ?php session_start(); ? html body ?php $id = session_id(); echo $id ? form action=test1.php??php echo $id? method=post input type=submit/form /body /html If you run this and don't get the session ID being maintained then there would appear to be some problem with your set up but we'll probably require more info OS php version etc. graeme. Henk Jan Wils wrote: Hi, My session only seems to work when I use the link-tag (like a href=nextpage.php?PHPSESSIONID=blahblahblah/a But when I send the sessionid within a form in a hidden tag (input type=hidden name=phpsessionid value=blahblah) the session stops. For my session working correct i have to send my sessionid at every link and at every submit. My question now is, how can i send the sessionid by using a form and not by putting the sessionid in the a-tag? Greetz Henk Jan -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] String Parsing/Escaping
Hi,
below are three versions of an SQL call along with escaping the passed
value.
$value=mysql_escape_string($_POST['value']);
mysql_query('SELECT * FROM table WHERE field='.$value.'');
+ Fastest Code
- Con: Bad Readability, Value needs to be escaped separately
$value=mysql_escape_string($_POST['value']);
mysql_query(sprintf('SELECT * FROM table WHERE field=%s', $value));
+ Good Readability
- Value needs to be escaped separately
sql_sprintf() is a custom version of sprintf() which automatically
escapes all passed parameters.
mysql_query(sql_sprintf('SELECT * FROM table WHERE field=%s',
$_POST['value']));
+ Good Readability, Value does not need to be escaped separately
- Slowest Code
Up until now I have only used the first version for all SQL work I did.
Now however I am seeking for a better and more abstracted solution. I
did some quick tests (only for the string parsing, without actual SQL
queries) and noticed that the performance (as expected) continually
degrades by moving from the top code down the list. While the third
version is probably the most secure one due to the fact that
sql_sprintf() always checks for escape sequences, it is also the
slowest. Especially when the same value is used multiple times because
then it is (unnecessarily) escaped again and again for each call,
whereas the second version only escapes it once. THIS however is at the
same time the big advantage of the third code, because the developer
does not need to escape the data manually.
Now my question is, what would be a good/the best compromise
respectively are there any other solutions for this particular issue?
Thanks,
Alexander
PS: All this code is considered to run under magic_quotes_gpc OFF.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
