[SOLVED] $_SESSION instead of $_GET

[dk1983]

Hi there,

 

First off, apologies if this is in the wrong board. 

 

Basically I would like to know if it is feasible to use session variables to handle persistent data instead of passing data via $_GET in the URL string.

 

I'm not keen on the url string mess that I get with $_GET, and I don't want to replace everything in my site with form buttons so I can use $_POST.

 

Can anyone advise me on any issues (security, performance etc) that I need to consider?

 

Thankyou,

Dave.

[redbullmarky]

personally i'd say that (as long as data amount is fairly minimal) sessions are the best way of keeping persistent data - however, it really depends what it's for.

 

I use sessions to maintain user details (when logged in) and when i'm maybe spreading a form over 2 or 3 (or more) pages and user might need to go back and forward a fair bit (or at least offer the option).

 

as for security, my only golden rule is do not trust ANY user input, regardless of whom it might be using the site. filter it all (get/post/cookie or wherever the input is/can come from) out, validate it properly, etc.

 

As for performance - that'd be for someone elses job to explain, but i'd pretty much stab a guess and a tenner that there's virtually no significant difference between $_SESSION and $_GET

 

like i say tho - depends what you're using them for...

[fadyz]

for security, bu doing so (add variable to url string) you'kk be vulnerable to php injection. See other article related to injection

[448191]

Session data is not user input, you put it there. That's pretty much the main diff securitywise. Not a small one.

 

Performancewise, I agree with Mark that the diff would be too small to prefer one over the other. In general though, I'd say $_GET is probably faster, because all it needs to do is parse the query string which is already in memory (I assume Apache keeps it in memory during the HTTP session). Session data is generally fetched from some persistence medium: a database or files. There is the mm extension that keeps the data in memory, but it's said to be a little unstable.

 

As a guideline, use $_GET for anything that indicates a 'page request', $_POST for submitting data, $_SESSION for anything directly related to the user.

 

If you dislike the query strings you can parse your own:

 

www.sitedomain.com/?someaction/somevar/someval

 

Or set arg_separator.input (ini_set) to something other than a ampersand, for example:

 

www.sitedomain.com/?somevar=someval:someothervar=someothervalue

 

Or if mod_rewrite is available on your server (Apache) you can even do away with the question mark:

 

www.sitedomain.com/someaction/somevar/someval

 

I use this, borrowed from Zend Framework:

 

RewriteEngine on
RewriteRule !\.(js|ico|gif|jpg|png|css|php)$ /index.php

 

Links in your html then look like this:

 

<a href="/someaction/somevar/someval">click me</a>

 

You still need to parse the query string though.

[dk1983]

I guess I'll go with the mod_rewrite; possibly have a seperate php script to handle all URL parsing within the site.

 

Thanks for the advice!

Dave.