I've just started using PHP for session management (done alot of it in
ISAPI/Delphi for many years).
My question is this:
I want to have a number of variables, for example $customer_id which
are session variables.
The PHP book I have been reading talks about
session_register('customer_id'), but I have seen people comment that
this is bad practice.
How should I approach this ?
I've tried putting $customer_id = $_SESSION['customer_id'], but have
found it difficult to rewrite the changed value back into the _SESSION
array at the end of the request.
Is there any way to get around this ?
I'm running PHP in a CGI mode under IIS ....
--
Spam:newsgroup(at)cr*********@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000>
22  2709 
127.0.0.1 wrote: How should I approach this ?
Php manual says:
use either this:
$barney = "A big purple dinosaur.";
session_register("barney");
or this:
$_SESSION["zim"] = "An invader from another planet.";
but NOT both :)
IMHO, $_SESSION is easier to use. Just use it like normal variable, remember
to start a session on top of page, and you'll have no confusion about which
var is session and which isn't.
--- --- --- --- --- --- --- ja**@croatiabiz.com
jack wrote: IMHO, $_SESSION is easier to use. Just use it like normal variable,
remember to start a session on top of page, and you'll have no
confusion about which var is session and which isn't.
I want to use $_SESSION to access the information, but am concerned
about supposed security issues.
I need to have the variables assigned to/from normal variables though
.... so I'd have to assign $_SESSION['x'] to/from $x at some point.
--
Spam:newsgroup(at)cr*********@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000>
"127.0.0.1" <newsgroup(at)cr*********@verisign-sux-ijlkl.com> wrote in
news:gR********************@news-server.bigpond.net.au: I want to use $_SESSION to access the information, but am concerned
about supposed security issues.
What security issues? The only way to manipulate session data is if you use
register_globals.
I need to have the variables assigned to/from normal variables though
... so I'd have to assign $_SESSION['x'] to/from $x at some point.
Why? $_SESSION is a superglobal, you can *always* access it.
KAH
"jack" <ja**@croatiabiz.com> wrote in news:bl**********@ls219.htnet.hr: use either this:
$barney = "A big purple dinosaur.";
session_register("barney");
or this:
$_SESSION["zim"] = "An invader from another planet.";
but NOT both :)
To be accurate, you can only use session_register() if you have
register_globals enabled, which you should never have.
KAH
With total disregard for any kind of safety measures KAH
<ka*@kahnews.cjb.net> leapt forth and uttered: What security issues? The only way to manipulate session data is
if you use register_globals.
Errrr... what?
The only way to manipulate session data using the session_ functions
is if register_globals is enabled.
If it isn't you just use the $_SESSION superglobal. Which is
available regardless of how register_globals is set.
--
There is no signature.....
Phil Roberts wrote: If it isn't you just use the $_SESSION superglobal. Which is
available regardless of how register_globals is set.
But how do I guarantee return of my $xxx variable back into the
$_SESSION['xxx'] super-global before the end of the script.
--
Spam:newsgroup(at)cr*********@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000>
KAH wrote: To be accurate, you can only use session_register() if you have
register_globals enabled, which you should never have.
Which brings me back to the original problem .... how do I insure that
my $xxx variable is stored back in $_SESSION['xxx'] before the script
execution ends (for what ever reason).
--
Spam:newsgroup(at)cr*********@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000>
127.0.0.1 wrote: Phil Roberts wrote:
If it isn't you just use the $_SESSION superglobal. Which is
available regardless of how register_globals is set.
But how do I guarantee return of my $xxx variable back into the
$_SESSION['xxx'] super-global before the end of the script.
$_SESSION['xxx'] = $xxx;
What's the trouble ?
Bruno Desthuilliers wrote: 127.0.0.1 wrote: Phil Roberts wrote: > > If it isn't you just use the $_SESSION superglobal. Which is
> > >>available regardless of how register_globals is set.
> But how do I guarantee return of my $xxx variable back into the
$_SESSION['xxx'] super-global before the end of the script.
$_SESSION['xxx'] = $xxx;
What's the trouble ?
Where does one put that line of code to ensure it is always executed
before the script ends - in any of the ways it can end.
Is there an 'onexit' call back that gets called before the script exits
?
The top of a PHP script will always be executed, but the bottom may not.
--
Spam:newsgroup(at)cr*********@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000>
"127.0.0.1" <newsgroup(at)cr*********@verisign-sux-ijlkl.com> schrieb: Which brings me back to the original problem .... how do I insure that
my $xxx variable is stored back in $_SESSION['xxx'] before the script
execution ends (for what ever reason).
I think register_shutdown_function() should do the trick.
But why do you have to use a variable like $xxx? Why can't you use
$_SESSION['xxx'] all the time?
Regards,
Matthias
Matthias Esken wrote: Which brings me back to the original problem .... how do I insure
that my $xxx variable is stored back in $_SESSION['xxx'] before the
script execution ends (for what ever reason).
I think register_shutdown_function() should do the trick.
Thanks...
But why do you have to use a variable like $xxx? Why can't you use
$_SESSION['xxx'] all the time?
To do with templating and stuff which I am doing..
--
Spam:newsgroup(at)cr*********@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000>
With total disregard for any kind of safety measures "127.0.0.1"
<newsgroup(at)cr*********@verisign-sux-ijlkl.com> leapt forth and
uttered: Is there an 'onexit' call back that gets called before the
script exits ?
The top of a PHP script will always be executed, but the bottom
may not. http://uk2.php.net/register_shutdown_function
--
There is no signature.....
Phil Roberts <ph*****@HOLYflatnetSHIT.net> wrote in
news:Xn*************************@216.196.97.132: The only way to manipulate session data using the session_ functions
is if register_globals is enabled.
If it isn't you just use the $_SESSION superglobal. Which is
available regardless of how register_globals is set.
I guess I wasn't precise enough; what I meant was that the only way for a
user to manipulate the session data (which they shouldn't be allowed to do
directly) is if r_g is on.
KAH
KAH wrote: which they shouldn't be allowed to do
directly
I keep hearing this .... and I keep asking - Why ?
What is wrong with session_register('X'); $X = 'abc';
--
Spam:newsgroup(at)cr*********@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000>
With total disregard for any kind of safety measures "127.0.0.1"
<newsgroup(at)cr*********@verisign-sux-ijlkl.com> leapt forth and
uttered: KAH wrote:
which they shouldn't be allowed to do
directly
I keep hearing this .... and I keep asking - Why ?
What is wrong with session_register('X'); $X = 'abc';
session_register() only works if register_globals is activated. And
you shouldn't be using it regardless. Just use the $_SESSION array,
at least you'll always be able to tell the difference between a
session variable and an ordinary one.
--
There is no signature.....
Phil Roberts wrote: which they shouldn't be allowed to do
directly
I keep hearing this .... and I keep asking - Why ?
What is wrong with session_register('X'); $X = 'abc';
session_register() only works if register_globals is activated. And
you shouldn't be using it regardless.
Why ?
--
Spam:newsgroup(at)cr*********@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000>
"127.0.0.1" <newsgroup(at)cr*********@verisign-sux-ijlkl.com> wrote in
news:bU********************@news-server.bigpond.net.au: Why ?
Because register_globals opens up a security hole. Imagine you use a
session-var, $loggedin, to check if the user is logged in. If you have
register_globals enabled, then the user can just request: http://example.com/private/privatearea.php?loggedin=1
and your script will think the user's logged in. With r_g off, you're
keeping data from the different input methods separated, and you prevent
the user from injecting variables into your script. There is absolutely no
way the user can manipulate the value of a session variable if you have r_g
off, and use the $_SESSION superglobal, besides hacking your server.
The problems with register_globals have been discussed hundreds of times
here, and in other places, Google for it.
KAH
KAH wrote: The problems with register_globals have been discussed hundreds of
times here, and in other places, Google for it.
Have googled, not much found in specifically why it can't be used.
So - how do I 'session' a variable like $x, without this ?
I'm working on using that script exit procedure that someone else
hinted at - but is there a better way ?
--
Spam:newsgroup(at)cr*********@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000>
"127.0.0.1" <newsgroup(at)cr*********@verisign-sux-ijlkl.com> wrote in
news:Kx*********************@news-server.bigpond.net.au: Have googled, not much found in specifically why it can't be used.
So - how do I 'session' a variable like $x, without this ?
I'm working on using that script exit procedure that someone else
hinted at - but is there a better way ?
Yes, the better way is to forget all about your $x variable, and use
$_SESSION['x'] instead. Why are you so reluctant to leave the data in the
session array?
It suprises me that you didn't find any specific information on why r_g is
bad. I did explain it in my post (briefly), though. If you need any clear-
ups on that, ask away.
KAH
KAH wrote: Yes, the better way is to forget all about your $x variable, and use
$_SESSION['x'] instead. Why are you so reluctant to leave the data in
the session array?
Because of templating issues .... $X is it...
--
Spam:newsgroup(at)cr*********@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000>
"127.0.0.1" <newsgroup(at)cr*********@verisign-sux-ijlkl.com> wrote in
message news:hs********************@news-server.bigpond.net.au... KAH wrote:
Yes, the better way is to forget all about your $x variable, and use
$_SESSION['x'] instead. Why are you so reluctant to leave the data in
the session array?
Because of templating issues .... $X is it...
Please explain. I have no problem using $_SESSION['x'] in my templates.
Paulus
Paulus Magnus wrote: "127.0.0.1" <newsgroup(at)cr*********@verisign-sux-ijlkl.com> wrote in
message news:hs********************@news-server.bigpond.net.au... KAH wrote:
Yes, the better way is to forget all about your $x variable, and
use $_SESSION['x'] instead. Why are you so reluctant to leave the
data in the session array?
Because of templating issues .... $X is it...
Please explain. I have no problem using $_SESSION['x'] in my
templates.
To do with X being variable in my templating system, and needing to
refer to it as $X, or as X=???? etc.
Basically the bit after the $ has to be a valid identifier ...
_SESSION[' '] is not.
If I used $_SESSION_X for 'X' then I might be able to get around it.
--
Spam:newsgroup(at)cr*********@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000> This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: The Plankmeister |
last post by:
Hi...
I'm trying my hardest to understand fully how sessions work and how best to
use them. However, all I can find is information that doesn't tell me
anything other than that sessions store...
|
by: jing_li |
last post by:
Hi, you all,
I am a newbee for php and I need your help. One of my coworker and I
are both developing a webpage for our project using php. We have a
copy of the same files in different location...
|
by: Maxime Ducharme |
last post by:
Hi group
We have a problem with sessions in one of our sites.
Sessions are used to store login info & some other infos
(no objects are stored in sessions).
We are using Windows 2000 Server...
|
by: Will Woodhull |
last post by:
Hi,
I'm new here-- I've been reading the group for a couple of days. Nice
group; I like the way n00b33 questions are handled.
I've been using a Javascript routine in index.html to determine a...
|
by: Steve Franks |
last post by:
According to the docs you tell ASP.NET to use cookieless sessions by setting
a value in the config.web file.
However, what if I wanted to determine at run time whether or not I wanted
to use...
|
by: D. Shane Fowlkes |
last post by:
This is a repost (pasted below). Since my original post, I've double
checked the system clock and set all IIS Session Timeout values to 10
minutes. Still ...the problem occurs. I've also...
|
by: Daniel Walzenbach |
last post by:
Hi,
I have a web application which sometimes throws an “out of memory”
exception. To get an idea what happens I traced some values using performance
monitor and got the following values (for...
|
by: magic_hat60622 |
last post by:
Hi all. I've got an app that dumps a user id into a session after
successful login. the login page is http://www.mydomain.com/login.php.
If the user visits pages on my site without the www (i.e.,...
|
by: Frinavale |
last post by:
One of the most fundamental topics in web design is understanding how to pass information collected on one web page to another web page. There are many different ways you could do this: Cookies,...
|
by: Atli |
last post by:
Introduction:
Sessions are one of the simplest and more powerful tools in a web developers arsenal. This tool is invaluable in dynamic web page development and it is one of those things every...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
