Re: Sessions and serializing (was: Checking data inserted

Hey Lynna,

> Oh, and one more question I forgot. If session_start and/or adding
variables to $_SESSION does result in setting a cookie automatically,
does that mean it has to be done at the beginning of the script, before
any output, like with setcookie?

Yes - you need to do a session_start() before any output gets sent. See
http://www.php.net/session_start for a bit more info about it..

>> You won't need to use unserialize and serialize per page if you're
>> going to use sessions - you only need those if you're going to pass
>> the values in a URL or in a hidden form field.
>>
>> For sessions, you can simply
>> $my_array = array('1','2','3','4','5');
>> $_SESSION['blah'] = $my_array;
>>
>> sort of thing..

>OK. So if I'm just saving things into the $_SESSION array, I don't need
to use serialize?

Correct.

>Most of the tutorials say that you can either pass session ids through
the URL or through cookies, and that using cookies is better for
security reasons. I'm OK with cookies because only a limited number of
people will be using the admin system I'm setting up and I can tell them
they have to have cookies enabled. It's not a part of the site that will
be accessible to the general public. And from the sounds of it the
cookie is set automatically without my having to do it with setcookie -
right?

Yep. Everything gets stored on the server in the session_save_path
directory (you can set this yourself in your scripts - see
http://www.php.net/session_save_path :)

>But the thing that's confusing me now is that apparently in 4.2,
--enable-trans-id is on by default, and that makes it automatically put
the session ID in the URLs of relative links, unless I've misunderstood
what it does? If passing the SID via URL is supposed to be bad from a
security standpoint, is there some way I can make it not do this?
Bearing in mind that I'm on a shared host so I can't mess with their
overall PHP configuration? Or am I worrying about this too much?

If it's a worry you can turn it off - http://www.php.net/ini_set - look
for session.use_trans_sid . Since it's a PHP_INI_SYSTEM|PHP_PER_DIR you
can change it in a .htaccess file ...

>>> But according to one of the user comments in the manual I have to
use
>>> addslashes() and stripslashes() if I want to be able to put the data
>> into the database after unserializing it - is that right?

>> Yep. So you'll need to do
>> $value = addslashes(serialize($real_value));
>> and use $value in your query...
>> Then when you fetch out
>> $real_value = unserialize(stripslashes($value));

>And that's only if I'm putting the session itself into a form field or
database, right?

Yep.

>If I extract the values from the $_SESSION array at the end of the
update process and insert them into the database then, having just used
cookies to store it in the meantime, then it doesn't need this? Or does
it?

It depends :)

eg dob could be stored as an array -
$dob = array('dd' => '01', 'mm' => '01', 'yy' => '1970');

then you'll need to serialize it before saving it..

If you want the values saved separately, then no you won't (eg q1 = 'y',
q2 = 'blah' etc etc).

HTH.

Chris.