Jump to content

$_SESSION reliability


dadamssg

Recommended Posts

i have a small date selection where the user inputs a date, the script calculates the number of days until that date and stores it in a session, it also passes the number through the url.

 

example

mysite.php?days=12

 

i use the session variable right now in my query  and do nothing with the $_GET['days'], my question is should i make sure the session variable is set, if not use the $_get? as in

 

if(!isset($_SESSION['days']))
      {
  $days = (int) $_GET['days'];
  }
  else
  {
  $days = $_SESSION['days'];
  }

and use $days in my query....or is this all unnecessary and im having too little faith in session variables?

Link to comment
https://forums.phpfreaks.com/topic/152175-_session-reliability/
Share on other sites

As long as you make sure session_start() is at the start of your scripts I can't see why you can't use session variables alone although they can (and do) timeout so if the user leaves the PC for some time and comes back later the session variables would have expired.

 

If you're expecting a number then there's no reason why you can't use intval() to make sure you're definitely getting a number. This helps is the user modifies the session variable/URL to try injection.

 

if (!isset($_SESSION['days'])) {
  $days = intval($_GET['days']);
} else {
  $days = intval($_SESSION['days']);
}

Link to comment
https://forums.phpfreaks.com/topic/152175-_session-reliability/#findComment-799272
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.