Re: Sessions and serializing (was: Checking data inserted

on 5/19/04 10:46 PM, Chris at chris(at)interspire(dot)com wrote:

> You won't need to use unserialize and serialize per page if you're going
> to use sessions - you only need those if you're going to pass the values
> in a URL or in a hidden form field.
>
> For sessions, you can simply
> $my_array = array('1','2','3','4','5');
> $_SESSION['blah'] = $my_array;
>
> sort of thing..

OK. So if I'm just saving things into the $_SESSION array, I don't need to
use serialize?

I've been reading through a whole bunch of session tutorials on DevShed,
PHPBuilder, etc. (although rather annoyingly nearly all of them are based on
PHP 4.0 and a lot of things seem to have changed with 4.2), and I think I'm
*starting* to get a grip on this, although some aspects are still a bit
confusing.

Most of the tutorials say that you can either pass session ids through the
URL or through cookies, and that using cookies is better for security
reasons. I'm OK with cookies because only a limited number of people will be
using the admin system I'm setting up and I can tell them they have to have
cookies enabled. It's not a part of the site that will be accessible to the
general public. And from the sounds of it the cookie is set automatically
without my having to do it with setcookie - right?

But the thing that's confusing me now is that apparently in 4.2,
--enable-trans-id is on by default, and that makes it automatically put the
session ID in the URLs of relative links, unless I've misunderstood what it
does? If passing the SID via URL is supposed to be bad from a security
standpoint, is there some way I can make it not do this? Bearing in mind
that I'm on a shared host so I can't mess with their overall PHP
configuration? Or am I worrying about this too much?

>> But according to one of the user comments in the manual I have to use
>> addslashes() and stripslashes() if I want to be able to put the data
> into the database after unserializing it - is that right?
>
> Yep. So you'll need to do
> $value = addslashes(serialize($real_value));
>
> and use $value in your query...
>
> Then when you fetch out
>
> $real_value = unserialize(stripslashes($value));
>
> Done =)

And that's only if I'm putting the session itself into a form field or
database, right?

If I extract the values from the $_SESSION array at the end of the update
process and insert them into the database then, having just used cookies to
store it in the meantime, then it doesn't need this? Or does it?

> Ask as many questions as you need to, we've all been at the start before
> =)

Thanks. Hopefully sooner or later I'll actually be at the point where I can
start answering other people's questions instead. :-)

Lynna

--
Resource Centre Database Coordinator
Gallery 44
www.gallery44.org