Reputation: 61
Using Session-Variable to call Data from mysql server
I'm designing a web based php reporting system. It involves multiple pages that insert and update to a mysql server. Basically, I want someone to be able to log on, start a report, then go through a fairly long reporting process step by step. Before they were simply filling out excel spreadsheets. I've basically set up a $_SESSION[$var] = (the auto increment ID) of the score table.
$returnQuery = "Select AssessmentID FROM opsassessment.assessmentscores WHERE Date = '$Date' AND InspectorID = '$inspectorResult2[0]'
AND PlantAssistID = '$assistResult2[0]' AND Plant = '$plantResult2[0]'";
$return = mysql_query ($returnQuery);
$return2 = mysql_fetch_row($return);
$_SESSION["return2"] = $return2[0];
echo "The ID for this session is: " . $_SESSION["return2"];
I then assign the session variable to a variable within each page. Then use that variable to update the assessmentscores table with data from several checkboxes. I have two questions about this:
Is there a "better" way of doing this? vague I know. While the system does work I have a suspiscion that there is an easier or more traditional way of doing it.
How much of a security risk am I running my using session? Note: this is a closed off network so no one outside the company should be able to acccess the webpages unless the network is already hacked. Also, I've implemented SQL injection prevention such as stripping HTML and special characters.
Any comments and/or feedback would be appreciated.
Upvotes: 1
Views: 365
Answers (2)
Reputation: 7778
Sessions were meant to do EXACTLY what you are doing.
And they are safer then the other options, because their storage is server-side (opposed to cookie storage), so the only way someone can access the sessions is if they have access to the webserver's session directory, and if that happens you have bigger problems to worry about.
It is possible to steal a session, but the attacker would need the user's session cookie.
But keep doing like you are doing, store the row's primary ID to prevent extra queries, it is the way it should be done (I would use the $_SESSION variable directly, instead of copying it to another var)
More on session security on SO:
Upvotes: 0
Reputation: 360642
The session data is as secure as your server is. None of the data stored IN the session is every physically transmitted to the user, unless you chose to do so.
The only session-related data that every is (or SHOULD be) transmitted to the user is the ID of the session.
However, storing the ID number in the session can be problematic. Consider the case where a user starts two reports at roughly the same time. Whichever report is started last will overwrite the ID number of the first report, and now all operations in both windows affect report #2.
Upvotes: 1
Related Questions
- Trying to pass a session variable into a mysql query using php
- Session variables in MySQL queries
- $_SESSION variable in mysql query?
- PHP/MYSQL - How do i assign data fetched from the database(stored in variables) to a session variable?
- Problems with session variables
- PHP fetching Data from MYSQL
- SESSION var in mysql query
- Mysql result to set session variable
- Session variables in PHP