dk1983 Posted June 8, 2007 Share Posted June 8, 2007 Hi there, First off, apologies if this is in the wrong board. Basically I would like to know if it is feasible to use session variables to handle persistent data instead of passing data via $_GET in the URL string. I'm not keen on the url string mess that I get with $_GET, and I don't want to replace everything in my site with form buttons so I can use $_POST. Can anyone advise me on any issues (security, performance etc) that I need to consider? Thankyou, Dave. Quote Link to comment Share on other sites More sharing options...
redbullmarky Posted June 9, 2007 Share Posted June 9, 2007 personally i'd say that (as long as data amount is fairly minimal) sessions are the best way of keeping persistent data - however, it really depends what it's for. I use sessions to maintain user details (when logged in) and when i'm maybe spreading a form over 2 or 3 (or more) pages and user might need to go back and forward a fair bit (or at least offer the option). as for security, my only golden rule is do not trust ANY user input, regardless of whom it might be using the site. filter it all (get/post/cookie or wherever the input is/can come from) out, validate it properly, etc. As for performance - that'd be for someone elses job to explain, but i'd pretty much stab a guess and a tenner that there's virtually no significant difference between $_SESSION and $_GET like i say tho - depends what you're using them for... Quote Link to comment Share on other sites More sharing options...
fadyz Posted June 9, 2007 Share Posted June 9, 2007 for security, bu doing so (add variable to url string) you'kk be vulnerable to php injection. See other article related to injection Quote Link to comment Share on other sites More sharing options...
448191 Posted June 9, 2007 Share Posted June 9, 2007 Session data is not user input, you put it there. That's pretty much the main diff securitywise. Not a small one. Performancewise, I agree with Mark that the diff would be too small to prefer one over the other. In general though, I'd say $_GET is probably faster, because all it needs to do is parse the query string which is already in memory (I assume Apache keeps it in memory during the HTTP session). Session data is generally fetched from some persistence medium: a database or files. There is the mm extension that keeps the data in memory, but it's said to be a little unstable. As a guideline, use $_GET for anything that indicates a 'page request', $_POST for submitting data, $_SESSION for anything directly related to the user. If you dislike the query strings you can parse your own: www.sitedomain.com/?someaction/somevar/someval Or set arg_separator.input (ini_set) to something other than a ampersand, for example: www.sitedomain.com/?somevar=someval:someothervar=someothervalue Or if mod_rewrite is available on your server (Apache) you can even do away with the question mark: www.sitedomain.com/someaction/somevar/someval I use this, borrowed from Zend Framework: RewriteEngine on RewriteRule !\.(js|ico|gif|jpg|png|css|php)$ /index.php Links in your html then look like this: <a href="/someaction/somevar/someval">click me</a> You still need to parse the query string though. Quote Link to comment Share on other sites More sharing options...
dk1983 Posted June 9, 2007 Author Share Posted June 9, 2007 I guess I'll go with the mod_rewrite; possibly have a seperate php script to handle all URL parsing within the site. Thanks for the advice! Dave. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.