How to save a sql query to a cookie - pagination

Question

This wont work. Im not that great with php and i cant seem to find the right way to do it.

$q2= "select * from cars";
setcookie("query", $q2, time()+3600);

Thanks for everyones advice, i have now used sessions, thats ok right? I am however still stuck ill try to explain as best i can.

I am using pagination, the user searches for cars, by area, make, model etc, when they submit, a file checks what they wish to search and stores the correct sql in a session, another file then uses this session to run the pagination. The first page displays correctly, but the second displays as if the user has searched for all available cars. I know why its doing it because when the page refreshes the file that checks what the user is searching is now taking that the user hasnt selected anything specific. I think i just need to move things around, but cant work it out. Can someone please help me!

Answer 1

yes, you have to add all search parameters to the pagination links.
Here is a basic pagination example below. note http_build_query part - its the thing you're asking for. However, I see no use for the sessions here

<?
$per_page=10;
// Let's put FROM and WHERE parts of the query into variable
$from_where="FROM Post WHERE active ='1'";
// and get total number of records
$sql = "SELECT count(*) ".$from_where;
$res = mysql_query($sql) or trigger_error(mysql_error()." in ".$sql);
$row = mysql_fetch_row($res);
$total_rows = $row[0];

//let's get page number from the query string 
if (isset($_GET['page'])) $CUR_PAGE = intval($_GET['page']); else $CUR_PAGE=1;
//and calculate $start variable for the LIMIT clause
$start = abs(($CUR_PAGE-1)*$per_page);

//Let's query database for the actual data
$sql = "SELECT * $from_where ORDER BY PostID DESC LIMIT $start,$per_page";
$res = mysql_query($sql) or trigger_error(mysql_error()." in ".$sql);
// and fill an array
while ($row=mysql_fetch_array($res)) $DATA[++$start]=$row;

//now let's form new query string without page variable
$uri = strtok($_SERVER['REQUEST_URI'],"?")."?";    
$tmpget = $_GET;
unset($tmpget['page']);
if ($tmpget) {
  $uri .= http_build_query($tmpget)."&";
}    
//now we're getting total pages number and fill an array of links
$num_pages=ceil($total_rows/$per_page);
for($i=1;$i<=$num_pages;$i++) $PAGES[$i]=$uri.'page='.$i;

//and, finally, starting output in the template.
?>
Found rows: <b><?=$total_rows?></b><br><br>
<? foreach ($DATA as $i => $row): ?>
<?=$i?>. <a href="?id=<?=$row['id']?>"><?=$row['title']?></a><br>
<? endforeach ?> 

<br>
Pages: 
<? foreach ($PAGES as $i => $link): ?>
<? if ($i == $CUR_PAGE): ?>
<b><?=$i?></b>
<? else: ?> 
<a href="<?=$link?>"><?=$i?></a>
<? endif ?> 
<? endforeach ?> 

Answer 2

Saving queries to cookies is bad news. You are giving anyone who accesses your website information about your database and the ability to execute whatever they want. For example, suppose I find the cookie file on my hard drive and edit it so that the query is

delete * from cars

Would this create a problem for you?

Answer 3

It's a bad idea - don't do it.

The cookie is saved on the client computer. The user could modify the SQL in the cookie without you knowing. Then if you fetch the data from the cookie and execute the query you will be running arbitrary SQL code of your user's choice which is a security risk.

If you need to save something, save the parameters only, and validate them when you receive them from the client. Also remember to escape them properly before including them in your query.

Answer 4

Don't do this. If you're storing your SQL in a cookie then a malicious user can modify their cookie value and easily gain access to your database.