On Thu, Feb 14, 2008 at 9:23 AM, Hiep Nguyen <hiep@xxxxxxxxxx> wrote: > On Fri, 8 Feb 2008, Per Jessen wrote:>> > Hiep Nguyen wrote:> >> >> let say that user searched and found 10 records,> >> in the meantime, other users may change any of these 10 records,> >> so if we saved mysql statement and re-run mysql statement again, the> >> result might be different. to prevent this problem, i only want to> >> download records that returned on this page only.> >> > This is more of a caching issue - then you determine how long you want> > to keep the results for, and only re-run the mysql query when the> > results have gone stale.> >> >> > /Per Jessen, Zürich> >> > --> > PHP General Mailing List (http://www.php.net/)> > To unsubscribe, visit: http://www.php.net/unsub.php> >> >>> in the last couple days, i've looked into php $_SESSION and kinda get the> concept. my question is can i use $_SESSION to store mysql statement?> what is the pro/con to store mysql statement in $_SESSION?> with $_COOKIE, i can use setrawcookie to avoid urlencoding. is ther> anything similar in $_SESSION?>> thanks,> t. hiep>> You can easily store a SQL statement in $_SESSION since the statementis just a string. Are you asking if you can store the *result* of thestatement execution in $_SESSION? You shouldn't store the SQL statement in cookies. It gives the enduser way too much insight into your DB implementation if they can seethe actual statement that you will be issuing to the database and it'san even bigger security risk for SQL injection than simply using raw,unescaped form input in a statement without validation! The attackerdoesn't even have to think how to create a parameter to escape out ofyour statement - they can send you "DELETE FROM mysql.user" or anyother wonderful thing they like. Granted, your script should not beusing a db user account that has privileges to execute such astatement, but that should give you a clue that this would be a VERYbad idea. URL encoding/decoding isn't really an issue with sessions since thesession data is stored internally on the server and does not have tobe urlencoded to be sent between the server and the browser in an HTTPheader. Andrew
