vickyb Posted February 19, 2014 Share Posted February 19, 2014 Hello I am using the following code to fetch the USERS name based on the key I stored as a session when the user logged in My code is $key = $_SESSION['logged_key']; if ($pcess = $mysqli->prepare("SELECT id, name FROM people WHERE key = ? LIMIT 1")) { $pcess->bind_param('s', $key); $pcess->execute(); $pcess->store_result(); $pcess->bind_result($id, $name); $pcess->fetch(); } My question is: Is there a better way to pass the session ID, or run the Query that would increase the security, performance and overall safety? Thanks Everyone V Quote Link to comment https://forums.phpfreaks.com/topic/286330-php-sessions/ Share on other sites More sharing options...
WebStyles Posted February 19, 2014 Share Posted February 19, 2014 Why not fetch that info (users name and id, etc...) when he logs in? Then just store in session and use when needed. Sessions can hold quite a lot of information, and it will keep you from having to make a lot of database requests. Quote Link to comment https://forums.phpfreaks.com/topic/286330-php-sessions/#findComment-1469588 Share on other sites More sharing options...
cyberRobot Posted February 20, 2014 Share Posted February 20, 2014 My preference is to store just the user's ID. Whenever the visitor goes to a different page, I'll query the database to re-validate the user and get the rest of the information. That way if the visitor's permissions are ever revoked, they can be kicked out during an active session if necessary. Quote Link to comment https://forums.phpfreaks.com/topic/286330-php-sessions/#findComment-1469638 Share on other sites More sharing options...
vickyb Posted February 20, 2014 Author Share Posted February 20, 2014 Hi Thanks, but the reason I dont store all this data when they login is because i need to pull other bits of data also, and it would be too much to store everything as sessions Why not fetch that info (users name and id, etc...) when he logs in? Then just store in session and use when needed. Sessions can hold quite a lot of information, and it will keep you from having to make a lot of database requests. Quote Link to comment https://forums.phpfreaks.com/topic/286330-php-sessions/#findComment-1469655 Share on other sites More sharing options...
vickyb Posted February 20, 2014 Author Share Posted February 20, 2014 My preference is to store just the user's ID. Whenever the visitor goes to a different page, I'll query the database to re-validate the user and get the rest of the information. That way if the visitor's permissions are ever revoked, they can be kicked out during an active session if necessary. How would you re-validate without the user having to enter password etc each time? Quote Link to comment https://forums.phpfreaks.com/topic/286330-php-sessions/#findComment-1469656 Share on other sites More sharing options...
cyberRobot Posted February 20, 2014 Share Posted February 20, 2014 I guess what I meant be re-validate, is to check the flag which indicates whether they have access or not. I'll basically create a column to indicate if a visitor is active. Every time they go to a new page, I'll check that flag before getting the other information like their name. If the flag is set to false, an error message is displayed. Otherwise, the page content displays as normal. Quote Link to comment https://forums.phpfreaks.com/topic/286330-php-sessions/#findComment-1469658 Share on other sites More sharing options...
vickyb Posted February 21, 2014 Author Share Posted February 21, 2014 I guess what I meant be re-validate, is to check the flag which indicates whether they have access or not. I'll basically create a column to indicate if a visitor is active. Every time they go to a new page, I'll check that flag before getting the other information like their name. If the flag is set to false, an error message is displayed. Otherwise, the page content displays as normal. OK thank you, that makes sense. Should I wrap anything around the sessions vars when doing a WHERE lookup? Like mysql_real_escape_string ? Or I guess my question is, if the user logs in and the database flag is set to 1, then when the user is not logged in the flag needs to be set to 0. 0 = not logged in 1 = logged in I could set the flag to 0 when the user logs out of the website, but how do I handle the case where the session expires and the user has to re-login? Because if the session expires before the user actually logs out, then the database flag would still be set to 1, so how do I get it to revert back to 0 if the session expires, or the user simply closes the browser before logging out? Thank you Quote Link to comment https://forums.phpfreaks.com/topic/286330-php-sessions/#findComment-1469846 Share on other sites More sharing options...
cyberRobot Posted February 21, 2014 Share Posted February 21, 2014 Just to clarify, the flag I use indicates whether the user has access or not. It's not whether they are logged in or not. That's what the session is for. Basically I use the "active" flag to remove someone's access to the content for an extended period of time. For example, I may have a group of people who manages an aspect of a website. If someone is no longer part of that group for whatever reason, I'll switch the "active" flag to false. That way they can no longer make changes; even if they are currently logged in. As soon as they visit another page, the system logs them out (removes the SESSION) and displays an error. As for your question about wrapping the SESSION variables, it depends. If you're only using a SESSION variable which contains the user's ID and that ID only contains numbers, I would just make sure the ID is valid before running the query. Currently, I prefer to validate numbers with ctype_digit(): http://www.php.net/ctype_digit Quote Link to comment https://forums.phpfreaks.com/topic/286330-php-sessions/#findComment-1469868 Share on other sites More sharing options...
vickyb Posted February 21, 2014 Author Share Posted February 21, 2014 Just to clarify, the flag I use indicates whether the user has access or not. It's not whether they are logged in or not. That's what the session is for. Basically I use the "active" flag to remove someone's access to the content for an extended period of time. For example, I may have a group of people who manages an aspect of a website. If someone is no longer part of that group for whatever reason, I'll switch the "active" flag to false. That way they can no longer make changes; even if they are currently logged in. As soon as they visit another page, the system logs them out (removes the SESSION) and displays an error. As for your question about wrapping the SESSION variables, it depends. If you're only using a SESSION variable which contains the user's ID and that ID only contains numbers, I would just make sure the ID is valid before running the query. Currently, I prefer to validate numbers with ctype_digit(): http://www.php.net/ctype_digit Thanks, I was going to store the user id and a unique MD5 hash for each user record, and then store them as sessions, so when i do an update i'll use the user id and hashed string, for a double check. So you're suggesting not to bother wrapping anything around sessions in that case? Quote Link to comment https://forums.phpfreaks.com/topic/286330-php-sessions/#findComment-1469882 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.