Is It Safe To Store A Value In A Session Variable And Make Queries On The Value

I have a site, where the username is stored in a session variable when they are logged in, I am wondering is it safe to make queries off of the value stored in this session variable?


Make PDO Select Queries HTML Safe?

I'm new to PDO and just started using it. I already inserted, updated and deleted data using it and it's very simple to use the basics.

In a test environment I inserted some HTML codes to the database. Like:

<a href="">Google</a>
<b>Bold text</b>
<u>Underlined text</u>

I'm trying this out, because I'm using a simple WYSIWYG editor on my site for the users and I want to be sure the data is safe.

Using the following:

$stmt = $dbh->prepare("SELECT * FROM naruto WHERE id = :id AND name = :name");
/*** bind the paramaters ***/
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->bindParam(':name', $name, PDO::PARAM_STR, 5);


Where name is the different HTML codes, the HTML is just executed. So the text is bold and not in the format text< /b>.

I'm wondering if there is a function for PDO to stop this. Or do I just need to use htmlentities and strip_tags?

View 2 Replies View Related

Is It Safe To Store User_id In Session?

What I was wondering is how safe it is to store user_id or username or anything like that in session. I usualy store a bunch of info in a session so I do not need to search the database all the time. However, is it easy to change a value after being logged in?

For example:

- A user logs in ...

View 11 Replies View Related

Jquery .post Used To Store Session Variable - Avoid Refresh To Call Session Value?

I am using jquery's .post ajax call to pull an form input value and pass it to a php file that starts a session and stores the value in it. The session value is then called on a different page. The problem is, this all takes place without a page refresh, so the session value is always one page refresh behind. I.E.

the first time the session value is called it is blank, but after refresh the value is loaded with the initial input value. When refreshing again, the session's second value is pulled. So, the session value is never current... it is one behind. How can make it so the php session variable is current without needing to do a refresh?

View 3 Replies View Related

Create Session Then Store A Session Variable

I use the following code to create session then store a session variable called query and then redirect to another page called insertaccount.php where i wish to use the
session value query. when i get to insertaccount.php the session variable query does not exist.can any one tell me why this is.

$_SESSION['query'] = $query;

$sql_query = $_SESSION['query'];

View 1 Replies View Related

Store A Variable Available To Every Session?

I wanted to know what would be a good way for storing the information required by a something like a hit counter. I was wondering if this was possible using some session-like technique, but available to everyone.I am concerned about speed/performance, and not memory usage since the data to be store is minimal.

View 2 Replies View Related

How To Store Session Value In A Variable?

Is this the right way to extract and store the session variable value?

$memid =mysql_real_escape_string($_SESSION['SESS_MID']));

View 2 Replies View Related

Safe MySQL Queries

After realising how easy it is for a malicious user to inject an sql query
into a paramenter for a query, e.g:

$query = "SELECT name FROM employees WHERE ID = ".$HTTP_GET_VARS['id']

And the user enters for the query string: mypage.php?id=1 UNION DISTINCT....

I'm trying to work out what level of protection is needed. As far as I can
see, for integer values I should just validate that a numeral has been
entered, and for text the addslashes() or mysql_escape_string() functions
are enough. Am I right in saying this?

View 4 Replies View Related

Writing Safe SQL Queries?

writing safe SQL queries e.g. single quotes, double quotes, etc. What's the best practice?

View 17 Replies View Related

Failing To Store Value Of Session Variable!

When I try to register a session variable by, for an example:
$value = "foo";

It doesn't want to be registered, i have tried to access it by:

The session file that is created then I start the session looks like this:

It seems like it doesnt wanna register the value.

View 2 Replies View Related

Store Cart Variable In Session?

i want to store cart variable in session. what is a correct way to encrypt or decrypt or hasshing??

View 3 Replies View Related

Safe Insert Queries For Mysql ?

I was wondering the folllowing: when i insert something
into a mySQL DB -in a guestbook for instance- i mostly use
mysql_escape_string($_POST['comment'). now i've seen
mysql_real_escape_string, and i was wondering if there's a
big difference between them, but most of all, i was wondering
if 'addslashes()' is safe enough, because i noticed that
stripslashes() doesn't strip all 'mysql_escape_string' slashes,
but does strip all 'addslashes()' ... :-s

I know there's something called mySQL-injection, and if i
got it correctly, that would mean executing queries
e.g. by submitting a " and then a query ...
of course i want to prevent this.

View 3 Replies View Related

Store Form Data As Session Variable?

So I was wondering if it would be possible to store data coming in from a form as a session variable. Heres what I have so far, but I don't know what to put for the Form Action.

<strong>Test Form</strong>
<form action="" method"post">
<input type="text" name="picturenum"/>
<input type="submit" name="Submit" value="Submit!" />
if (isset($_POST['Submit'])) {
$_session['picturenum'] = $_POST['picturenum'];
<strong><? echo $_session['picturenum'];?></strong>

View 4 Replies View Related

Can't Store A Class Instance As A SESSION Variable

I have a PHP script that is called in 2 ways from a Dojo Ajax xhrGet call. The first time it is called with an "init" argument which causes the script to create an instance of the StateList class and read in a file of state names.



However, the getSize() method is never executed, nor can I call any other method on the reconstituted StateList class instance. Note that this is one PHP script that DOES include the class definition at the top and thus the class methods should be known and avaialble.

View 5 Replies View Related

Make A Function Read Form A Txt File And Store Random Lines In A Variable?

How do you make a function read form a txt file and store random lines in a variable? It will be run over and over in a foreach loop. The language is PHP.

View 3 Replies View Related

Xml - Use Global Variable And Store Xml Type Object In Session?

I have some problem with PHP global variable usage.I searched from StackOverflow, but nothing is like mine (at least i didn't found).I have 2 php page.Index.php and Account.php.Index.php calls account.php by ajax.Account.php must receive some xml data from other URL and store it. After that Index.php must use it.

on index.php:

var dataString = 'user='+ $("#login-name").val() + '&pass=' + $("#login-pass").val();


How can I pass $xml into index .php?My question is more like "How can I store xml type object in session".Because currently I using session for store data.But in case of string data its working okey with below line:

$_SESSION['user_name'] = (string)$xml->request->username;

If I remove (string) from it, it made error like Fatal error: Exception thrown without a stack frame in Unknown on line 0, But I need pass object, not string.

View 2 Replies View Related

Is It Faster To Recreate An Object Or Store It In A Session Variable

Recreate an object instance each time someone goes to a page during a session or Store the object instance in a session variable when it first gets created, then always grab it from there when the page is accessed again I'm not sure if this will turn out to be a "How long is a piece of string?"

View 5 Replies View Related

Store And Recall The Last Radio Button Clicked In A Session Variable?

I'm trying to figure out the best way to display text based on which radio button a user has clicked. I am having trouble using sessions to do this. When I use the following code, only the information related to the radio button that was first clicked is displayed (e.g., if someone clicks on radion button "A," then changes his mind and clicks on radio button "B," the session seems to think "A" is still clicked.Here's the HTML:

<div class="radio">
<label for="choice1">Choice 1</label>
<input class="selection" id="choice1" type="radio" name="selection" value="choice1"/>


View 1 Replies View Related

Online Order System Looping And Store Each Checked Off Item As A Session Variable?

I am designing an online ordering system for a restaurant.I have a menu with check boxes by each item where the customer can select which items they desire.The menu is located at problem is that when the order is processed I need it to store each checked off item as a session variable.In the following code, it only selects the first item checked and not the rest if there is more than one.

foreach ($item as $itemname)
$query = mysql_query("SELECT * FROM `menu` WHERE title = '$itemname'");


View 3 Replies View Related

Safe To Store XHTML Code In A Database?

Is it safe to store XHTML code in a database?What I usually do is store XHTML in the database and then just use htmlspecialchars() when outputting it on the website.

View 7 Replies View Related

How To Store Main Settings - File To Be Safe?

I have DB password and other important information stored in settings.php. I will put settings.php outside public directory.But what I am not sure about is that I use to require_once settings.php into every page (index.php, users.php, profile.php, login.php, ...). Is that safe? I was thinking that if somebody came into any single main file, he will find out where I store setttings. If this file wouldn't be included in this way, than this won't be happen in any file.for example file users.php starts like this:

require_once $_SERVER['DOCUMENT_ROOT'].'/languages/lang_'.$language.'.php';

View 1 Replies View Related

Make A Public Variable Hold Changing Session Values?

have a code structure like this

public static $userId;
public static $checkUserId;
public $chckUserId;
function __CONSTRUCT(){//Constructor
self::$userId = $_SESSION["userid"];//Asssign Current Logged In User's UserId

this works holding user session then i want to hold one changing session coz i ant to use it in all function of the class i want to be assigned in a public variable , i assigned and worked but not changing what could be the problem?

View 2 Replies View Related

Make Opetion To Store Data In Chines Or Store In English?

i have two table.One to store english and second store i can make opetion to store in chines or store in english.example if some one want to store in chines thenadmin should able to see the english version to translate into chinesand store.

View 5 Replies View Related

Safe To Make Use Of 5.3.0 New Functions Now?

As it depends on if the host support PHP 5.3, I wonder if all or enough many hosting company has upgraded their php environment to 5.3. Do you already use these new functions in your project?

View 3 Replies View Related

Trying To Make Characters Safe For My RSS Feed

Whenever users write a post in Microsoft Word and then post it to their weblogs using my PHP software, their RSS feed ends up being corrupted with garbage characters which violate the well-formedness of their XML and therefore cause their newsreaders to die. Code:

View 4 Replies View Related

Make Password Storage Safe?

How much more safer is this than just md5? I've just started look into password security. Im pretty new with php.

$salt = 'csdnfgksdgojnmfnb';
$password = md5($salt.$_POST['password']);
$result = mysql_query("SELECT id FROM users
WHERE username = '".mysql_real_escape_string($_POST['username'])."'
AND password = '$password'");


View 5 Replies View Related

Using Get_html_translation_table To Make Entities XML Safe?

I would like to convert all named entities to decimal numbered entities for XML support.The code below fixes some but not all entities. For example, "—" remains unchanged. It should be changed to: PHP Code:

$str='Hello Krämer — this is a "test".';
echo htmlentities2unicodeentities($str);


View 6 Replies View Related

Make Safe For MYSQL Insert?

I'm inserting user input into mysql. I'm going to be later displaying the information. I'm using nl2br to preserve the "enters". I want to remove all other HTML from the input as well make the information safe to insert into the database.

This is what I'm using now. Is this enough?

PHP Code:

$message =nl2br(htmlspecialchars($_POST['message'], ENT_QUOTES));

View 7 Replies View Related

Store User Preferences For Further Queries?

I would like to implement a mailing system which sends my registered users notifications when a new blog posts matches their configured preferences.

When the user config their preferences, this basically create a SQL query underneath, but I don't find it really clean/safe to store a SQL query in a database. Unless I'm told otherwise.

Also, I want a solution that will scale well if I add more filter's criterias in the future.

PS: I am not looking for a mailing library. I am only looking for a hint on how I need to design my application for the most efficient way.

Edit: I received two similar answers offering the same solutions. I'm afraid my question is a bit more complicated though.

The solutions works if I only add tags preferences possibles.

What if I want to make specific filterings possible eg: UserB wants to get notified when a post tagged html is made and have atleast one comments (or votes).

That is why I said that a SQL query is basically created as the users selects it's preferences.

View 2 Replies View Related

Make A Query Completely SQL - Injection - Safe With PDO?

I've been reading 2 hours about mysql_real_escape() and addslashes() and stuff, but my question is: how can I do this to work with PDO and be completely safe?

View 1 Replies View Related

Sanitizing Strings To Make Them URL And Filename Safe?

I am trying to come up with a function that does a good job of sanitizing certain strings so that they are safe to use in the URL (like a post slug) and also safe to use as file names. For example, when someone uploads a file I want to make sure that I remove all dangerous characters from the name. So far I have come up with the following function which I hope solves this problem and allows foreign UTF-8 data also.

* Convert a string to the file/URL safe "slug" form
@param string $string the string to clean
* @param bool $is_filename TRUE will allow additional filename characters
* @return string
function sanitize($string = '', $is_filename = FALSE)


Does anyone have any tricky sample data I can run against this - or know of a better way to safeguard our apps from bad names? $is-filename allows some additional characters like temp vim files update: removed the star character since I could not think of a valid use

View 10 Replies View Related

Copyrights 2005-15, All rights reserved