$_SESSION reliability

[dadamssg]

i have a small date selection where the user inputs a date, the script calculates the number of days until that date and stores it in a session, it also passes the number through the url.

 

example

mysite.php?days=12

 

i use the session variable right now in my query  and do nothing with the $_GET['days'], my question is should i make sure the session variable is set, if not use the $_get? as in

 

if(!isset($_SESSION['days']))
      {
  $days = (int) $_GET['days'];
  }
  else
  {
  $days = $_SESSION['days'];
  }

and use $days in my query....or is this all unnecessary and im having too little faith in session variables?

[Yesideez]

As long as you make sure session_start() is at the start of your scripts I can't see why you can't use session variables alone although they can (and do) timeout so if the user leaves the PC for some time and comes back later the session variables would have expired.

 

If you're expecting a number then there's no reason why you can't use intval() to make sure you're definitely getting a number. This helps is the user modifies the session variable/URL to try injection.

 

if (!isset($_SESSION['days'])) {
  $days = intval($_GET['days']);
} else {
  $days = intval($_SESSION['days']);
}