Is It Safe To Store A Value In A Session Variable And Make Queries On The Value

I have a site, where the username is stored in a session variable when they are logged in, I am wondering is it safe to make queries off of the value stored in this session variable?


Make PDO Select Queries HTML Safe?

I'm new to PDO and just started using it. I already inserted, updated and deleted data using it and it's very simple to use the basics.

In a test environment I inserted some HTML codes to the database. Like:

<a href="">Google</a>
<b>Bold text</b>
<u>Underlined text</u>

I'm trying this out, because I'm using a simple WYSIWYG editor on my site for the users and I want to be sure the data is safe.

Using the following:

$stmt = $dbh->prepare("SELECT * FROM naruto WHERE id = :id AND name = :name");
/*** bind the paramaters ***/
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->bindParam(':name', $name, PDO::PARAM_STR, 5);


Where name is the different HTML codes, the HTML is just executed. So the text is bold and not in the format text< /b>.

I'm wondering if there is a function for PDO to stop this. Or do I just need to use htmlentities and strip_tags?

View 2 Replies View Related

Is It Safe To Store User_id In Session?

What I was wondering is how safe it is to store user_id or username or anything like that in session. I usualy store a bunch of info in a session so I do not need to search the database all the time. However, is it easy to change a value after being logged in?

For example:

- A user logs in ...

View 11 Replies View Related

Jquery .post Used To Store Session Variable - Avoid Refresh To Call Session Value?

I am using jquery's .post ajax call to pull an form input value and pass it to a php file that starts a session and stores the value in it. The session value is then called on a different page. The problem is, this all takes place without a page refresh, so the session value is always one page refresh behind. I.E.

the first time the session value is called it is blank, but after refresh the value is loaded with the initial input value. When refreshing again, the session's second value is pulled. So, the session value is never current... it is one behind. How can make it so the php session variable is current without needing to do a refresh?

View 3 Replies View Related

Create Session Then Store A Session Variable

I use the following code to create session then store a session variable called query and then redirect to another page called insertaccount.php where i wish to use the
session value query. when i get to insertaccount.php the session variable query does not exist.can any one tell me why this is.

$_SESSION['query'] = $query;

$sql_query = $_SESSION['query'];

View 1 Replies View Related

Store A Variable Available To Every Session?

I wanted to know what would be a good way for storing the information required by a something like a hit counter. I was wondering if this was possible using some session-like technique, but available to everyone.I am concerned about speed/performance, and not memory usage since the data to be store is minimal.

View 2 Replies View Related

How To Store Session Value In A Variable?

Is this the right way to extract and store the session variable value?

$memid =mysql_real_escape_string($_SESSION['SESS_MID']));

View 2 Replies View Related

Safe MySQL Queries

After realising how easy it is for a malicious user to inject an sql query
into a paramenter for a query, e.g:

$query = "SELECT name FROM employees WHERE ID = ".$HTTP_GET_VARS['id']

And the user enters for the query string: mypage.php?id=1 UNION DISTINCT....

I'm trying to work out what level of protection is needed. As far as I can
see, for integer values I should just validate that a numeral has been
entered, and for text the addslashes() or mysql_escape_string() functions
are enough. Am I right in saying this?

View 4 Replies View Related

Writing Safe SQL Queries?

writing safe SQL queries e.g. single quotes, double quotes, etc. What's the best practice?

View 17 Replies View Related

Failing To Store Value Of Session Variable!

When I try to register a session variable by, for an example:
$value = "foo";

It doesn't want to be registered, i have tried to access it by:

The session file that is created then I start the session looks like this:

It seems like it doesnt wanna register the value.

View 2 Replies View Related

Store Cart Variable In Session?

i want to store cart variable in session. what is a correct way to encrypt or decrypt or hasshing??

View 3 Replies View Related

Safe Insert Queries For Mysql ?

I was wondering the folllowing: when i insert something
into a mySQL DB -in a guestbook for instance- i mostly use
mysql_escape_string($_POST['comment'). now i've seen
mysql_real_escape_string, and i was wondering if there's a
big difference between them, but most of all, i was wondering
if 'addslashes()' is safe enough, because i noticed that
stripslashes() doesn't strip all 'mysql_escape_string' slashes,
but does strip all 'addslashes()' ... :-s

I know there's something called mySQL-injection, and if i
got it correctly, that would mean executing queries
e.g. by submitting a " and then a query ...
of course i want to prevent this.

View 3 Replies View Related

Store Form Data As Session Variable?

So I was wondering if it would be possible to store data coming in from a form as a session variable. Heres what I have so far, but I don't know what to put for the Form Action.

<strong>Test Form</strong>
<form action="" method"post">
<input type="text" name="picturenum"/>
<input type="submit" name="Submit" value="Submit!" />
if (isset($_POST['Submit'])) {
$_session['picturenum'] = $_POST['picturenum'];
<strong><? echo $_session['picturenum'];?></strong>

View 4 Replies View Related

Can't Store A Class Instance As A SESSION Variable

I have a PHP script that is called in 2 ways from a Dojo Ajax xhrGet call. The first time it is called with an "init" argument which causes the script to create an instance of the StateList class and read in a file of state names.



However, the getSize() method is never executed, nor can I call any other method on the reconstituted StateList class instance. Note that this is one PHP script that DOES include the class definition at the top and thus the class methods should be known and avaialble.

View 5 Replies View Related

Make A Function Read Form A Txt File And Store Random Lines In A Variable?

How do you make a function read form a txt file and store random lines in a variable? It will be run over and over in a foreach loop. The language is PHP.

View 3 Replies View Related

Xml - Use Global Variable And Store Xml Type Object In Session?

I have some problem with PHP global variable usage.I searched from StackOverflow, but nothing is like mine (at least i didn't found).I have 2 php page.Index.php and Account.php.Index.php calls account.php by ajax.Account.php must receive some xml data from other URL and store it. After that Index.php must use it.

on index.php:

var dataString = 'user='+ $("#login-name").val() + '&pass=' + $("#login-pass").val();


How can I pass $xml into index .php?My question is more like "How can I store xml type object in session".Because currently I using session for store data.But in case of string data its working okey with below line:

$_SESSION['user_name'] = (string)$xml->request->username;

If I remove (string) from it, it made error like Fatal error: Exception thrown without a stack frame in Unknown on line 0, But I need pass object, not string.

View 2 Replies View Related

Is It Faster To Recreate An Object Or Store It In A Session Variable

Recreate an object instance each time someone goes to a page during a session or Store the object instance in a session variable when it first gets created, then always grab it from there when the page is accessed again I'm not sure if this will turn out to be a "How long is a piece of string?"

View 5 Replies View Related

Store And Recall The Last Radio Button Clicked In A Session Variable?

I'm trying to figure out the best way to display text based on which radio button a user has clicked. I am having trouble using sessions to do this. When I use the following code, only the information related to the radio button that was first clicked is displayed (e.g., if someone clicks on radion button "A," then changes his mind and clicks on radio button "B," the session seems to think "A" is still clicked.Here's the HTML:

<div class="radio">
<label for="choice1">Choice 1</label>
<input class="selection" id="choice1" type="radio" name="selection" value="choice1"/>


View 1 Replies View Related

Online Order System Looping And Store Each Checked Off Item As A Session Variable?

I am designing an online ordering system for a restaurant.I have a menu with check boxes by each item where the customer can select which items they desire.The menu is located at problem is that when the order is processed I need it to store each checked off item as a session variable.In the following code, it only selects the first item checked and not the rest if there is more than one.

foreach ($item as $itemname)
$query = mysql_query("SELECT * FROM `menu` WHERE title = '$itemname'");


View 3 Replies View Related

Safe To Store XHTML Code In A Database?

Is it safe to store XHTML code in a database?What I usually do is store XHTML in the database and then just use htmlspecialchars() when outputting it on the website.

View 7 Replies View Related

How To Store Main Settings - File To Be Safe?

I have DB password and other important information stored in settings.php. I will put settings.php outside public directory.But what I am not sure about is that I use to require_once settings.php into every page (index.php, users.php, profile.php, login.php, ...). Is that safe? I was thinking that if somebody came into any single main file, he will find out where I store setttings. If this file wouldn't be included in this way, than this won't be happen in any file.for example file users.php starts like this:

require_once $_SERVER['DOCUMENT_ROOT'].'/languages/lang_'.$language.'.php';

View 1 Replies View Related

Make A Public Variable Hold Changing Session Values?

have a code structure like this

public static $userId;
public static $checkUserId;
public $chckUserId;
function __CONSTRUCT(){//Constructor
self::$userId = $_SESSION["userid"];//Asssign Current Logged In User's UserId

this works holding user session then i want to hold one changing session coz i ant to use it in all function of the class i want to be assigned in a public variable , i assigned and worked but not changing what could be the problem?

View 2 Replies View Related

Make Opetion To Store Data In Chines Or Store In English?

i have two table.One to store english and second store i can make opetion to store in chines or store in english.example if some one want to store in chines thenadmin should able to see the english version to translate into chinesand store.

View 5 Replies View Related

Safe To Make Use Of 5.3.0 New Functions Now?

As it depends on if the host support PHP 5.3, I wonder if all or enough many hosting company has upgraded their php environment to 5.3. Do you already use these new functions in your project?

View 3 Replies View Related

Trying To Make Characters Safe For My RSS Feed

Whenever users write a post in Microsoft Word and then post it to their weblogs using my PHP software, their RSS feed ends up being corrupted with garbage characters which violate the well-formedness of their XML and therefore cause their newsreaders to die. Code:

View 4 Replies View Related

Make Password Storage Safe?

How much more safer is this than just md5? I've just started look into password security. Im pretty new with php.

$salt = 'csdnfgksdgojnmfnb';
$password = md5($salt.$_POST['password']);
$result = mysql_query("SELECT id FROM users
WHERE username = '".mysql_real_escape_string($_POST['username'])."'
AND password = '$password'");


View 5 Replies View Related

Using Get_html_translation_table To Make Entities XML Safe?

I would like to convert all named entities to decimal numbered entities for XML support.The code below fixes some but not all entities. For example, "—" remains unchanged. It should be changed to: PHP Code:

$str='Hello Krämer — this is a "test".';
echo htmlentities2unicodeentities($str);


View 6 Replies View Related

Make Safe For MYSQL Insert?

I'm inserting user input into mysql. I'm going to be later displaying the information. I'm using nl2br to preserve the "enters". I want to remove all other HTML from the input as well make the information safe to insert into the database.

This is what I'm using now. Is this enough?

PHP Code:

$message =nl2br(htmlspecialchars($_POST['message'], ENT_QUOTES));

View 7 Replies View Related

Store User Preferences For Further Queries?

I would like to implement a mailing system which sends my registered users notifications when a new blog posts matches their configured preferences.

When the user config their preferences, this basically create a SQL query underneath, but I don't find it really clean/safe to store a SQL query in a database. Unless I'm told otherwise.

Also, I want a solution that will scale well if I add more filter's criterias in the future.

PS: I am not looking for a mailing library. I am only looking for a hint on how I need to design my application for the most efficient way.

Edit: I received two similar answers offering the same solutions. I'm afraid my question is a bit more complicated though.

The solutions works if I only add tags preferences possibles.

What if I want to make specific filterings possible eg: UserB wants to get notified when a post tagged html is made and have atleast one comments (or votes).

That is why I said that a SQL query is basically created as the users selects it's preferences.

View 2 Replies View Related

Make A Query Completely SQL - Injection - Safe With PDO?

I've been reading 2 hours about mysql_real_escape() and addslashes() and stuff, but my question is: how can I do this to work with PDO and be completely safe?

View 1 Replies View Related

Sanitizing Strings To Make Them URL And Filename Safe?

I am trying to come up with a function that does a good job of sanitizing certain strings so that they are safe to use in the URL (like a post slug) and also safe to use as file names. For example, when someone uploads a file I want to make sure that I remove all dangerous characters from the name. So far I have come up with the following function which I hope solves this problem and allows foreign UTF-8 data also.

* Convert a string to the file/URL safe "slug" form
@param string $string the string to clean
* @param bool $is_filename TRUE will allow additional filename characters
* @return string
function sanitize($string = '', $is_filename = FALSE)


Does anyone have any tricky sample data I can run against this - or know of a better way to safeguard our apps from bad names? $is-filename allows some additional characters like temp vim files update: removed the star character since I could not think of a valid use

View 10 Replies View Related

Security - Make Sure The Data In The Sessions Are Safe?

This is the senario: User logs in, if successful connection details for his database are stored in a session variables which are used to access information. Are there any precautions I need to make sure the data in the sessions are safe?

View 1 Replies View Related

What To Use In PHP To Make User Input Safe For MySQL Query?

I believe that you want to escape certain characters in a query, like quotes, backslash, semi-colon, etc. Is there a function in PHP to do all this for you and make the string safe to use as a query string?

View 1 Replies View Related

Security - Make Data Uploaded Safe During Transmission?

I'm allowing authenticated users to upload image files with my PHP application. Assume I've built in the necessary security to make sure the file itself is valid, is there a possibility of the http transmitted file to be intercepted in some way? If so, how can I protect the transmission of the file? Would HTTPS be the way to go?

Also, the web server the application resides on can only be accessed by authenticated users. Does this mean that the http stream of data is also protected? It would seem to me that it is.

View 4 Replies View Related

Make Web Form Input Safe For A Variety Of Contexts?

What do you all think is the correct (read: most flexible, loosely coupled, most robust, etc.) way to make user input from the web safe for use in various parts of a web application? Obviously we can just use the respective sanitization functions for each context (database, display on screen, save on disk, etc.), but is there some general "pattern" for handling unsafe data and making it safe? Is there an established way to enforce treating it as unsafe unless it is properly made safe?

View 3 Replies View Related

Make Data Safe To Input To Mysql Database

I'm just wondering what kind of things I should do to make sure that inputs from a form are safe to put into a mysql table?

I'm currently using ereg() on an input to make sure that only numbers are entered, but on other forms I've got thiongs such as names and other details. How do I make sure that they're not going to break my table?

View 1 Replies View Related

Character Replacements Should Be Performed To Make Base 64 Encoding URL Safe?

In looking at URL safe base 64 encoding, I've found it to be a very non-standard thing. Despite the copious number of built in functions that PHP has, there isn't one for URL safe base 64 encoding. On the manual page for base64_encode(), most of the comments suggest using that function, wrapped with strtr():

function base64_url_encode($input)
return strtr(base64_encode($input), '+/=', '-_,');

The only Perl module I could find in this area is MIME::Base64::URLSafe (source), which performs the following replacement internally:

sub encode ($) {
my $data = encode_base64($_[0], '');

View 5 Replies View Related

Safe Timeout Value For Codeigniter Session Class?

I am using codeigniter's session class to handle my PHP sessions. One of the session variables automatically created on every visit to the site is session_id:

The user's unique Session ID (this is a statistically random string with very strong entropy, hashed with MD5 for portability, and regenerated (by default) every five minutes)

On my site I need to have functionality to track unregistered user's and I currently have this implemented by comparing the visitor's session_id with a stored id value in a VISITOR table in the database. This works perfectly except for the fact that the session id times out every five minutes. I would like my application to remember visitors for longer than 5 minutes (kind of like what SO does when you post a question or answer without registering).

My question is this: can you see any security issues with simply extending the regeneration time of the session class (to something like 12 hours)?

Update: based on the answers I've seen so far, it seems like its more of a performance concern rather than a safety issue. Its kinda weird how the codeigniter session class works because when creating a new session, it also creates a new cookie which seems to persist as long as the session. I guess I could create another cookie with the session ID that lasts as long as I need it to. But how much of a performance concern would it be if I were to save the sessions for something like 12 hours? Would it slow things down unless I have millions of unique visitors within a 12 hour period (

View 3 Replies View Related

Check If Friends With A User On Each Page - Store The Result In A Session Or Not To Session?

On a site like facebook, where they must make tonnes of sql statments on each page.. do you think that they for example check to see if you are friends with a user on each page.. or do they do it just once and store the result in a session... obviously it makes sense to store it in a session.. however it is easier to just do the request 'see if they are friends' on each page rather than having to check if sessions exists.. and if the session is for that friend... etc.

View 3 Replies View Related

How Safe Is A Session Based On A Db Field Id For User Identification

Just wanted to see if I am leaving open some security hole in a script I have! When the user logs in it creates a session based on the id field of the users table! For example .... my id is 10 so a session is created with based on that. What I wanted to know is if I want a secure way to identify a genuine user based on their session then should I make this session more complicated by adding further details? Or even create multiple sessions? I am currently checking the user against my sql table id against their session but thought that if someone created a session from another website with for example the number 10 then I wouldnt want them being able to access my members account whose ID number is 10!

View 2 Replies View Related

Copyrights 2005-15, All rights reserved