|
|
Posted by Jerry Stuckle on 12/16/54 11:56
Rik wrote:
> Mladen Gogala wrote:
>
>>On Mon, 14 Aug 2006 16:29:56 +0200, Rik wrote:
>>
>>
>>>Well, on a server you generating and trashing content that didn't
>>>need to be build in the first place. Not necessarily an issue, but a
>>>huge waste of resources, cpu & memory.
>>
>>What is a waste of resources? Which part?
>
>
> You are using memory for buffering that hypothetically could be needed
> elsewhere. True, it's a very low usage, but hey, if there are thousands on
> your site at once, and your server resources are limited, it might shave of
> something.
>
> As long as the code stays readable, why not choose the order & checks that
> will keep the use of memory & CPU to a minimum. Don't overdo it, but if
> either option is OK, why not choose the easiest on the server?
>
>
>>>What's the problem with the following flow?
>>>
>>>1. start session
>>>2. if form is submitted and answer is yes, destroy session and
>>>redirect
>>>3. else show form
>>>
>>>It will produce a lot less overhead.
>>
>>The largest single wait is for an Oracle connection to be
>>established. I want to postpone that for as long as I can and create
>>a connection only
>>if necessary.
>
>
> That has absolutely NOTHING to do with where it is in the script. Surrounded
> by a conditional, it could be anywhere, and never be called when it's not
> necessary.
>
> As I've yet to set up a testserver here to start to check the
> oracle-database, I'll refrain from commenting on the way you use it, but I
> doubt wether this construction is safe (could be wrong though):
>
> $sid = $_POST['sid'];
> $serial = $_POST['serial'];
> $SQL = "alter system disconnect session '$sid,$serial' immediate";
> $rs = $db->Execute($SQL);
>
> Is oracle that well build this isn't wide open to attack?
>
>
>>This script is invoked from a link, and I don't want to
>>kill session or establish connection if someone has accidentally
>>clicked on the link. The full complement of the scripts is available
>>on my page. I'd be grateful if you decide to take a look.
>
>
> Well, I haven't looked at your page yet, but let's just say this rewrite of
> your posted code works perfectly. (which demonstrated further bad coding
> practices like <?=$var ?>, exiting without letting your HTML tags close on
> form completion....). It's made with simple reasoning: if you have to check
> with code what the actual intent of the visitor is, check for the
> fastest/easiest things first.
>
> <?php
> session_start();
> $invoker = $_SESSION['invoker'];
>
> /* I'm not sure what's in here, so I'll put it here:*/
> require_once ('config.php');
>
> /* First check: if $sid is not set, all the rest is useless */
> if(!isset($_REQUEST['sid'])) die("Kill session: sid cannot be empty!");
>
> /* On a cancel the user will also be directed back asap */
> if(isset($_POST['kill'] && strtolower($_POST['kill'])!='yes'){
> header("Location: $invoker");
> exit;
> }
> $sid = $_REQUEST['sid'];
> $serial = $_REQUEST['serial'];
>
> /* a simple check wether we should delete or display the form: */
> if(strtolower($_POST['kill'])=='yes'){
> $DSN = $_SESSION['DSN'];
> /* If you're that worried about your db-connection, let's make a nice
> shutdown: */
> function closedb(){
> global $db;
> $db->close();
> }
> register_shutdown_function('closedb');
>
> $db = NewADOConnection("oci8");
> $SQL = "alter system disconnect session '$sid,$serial' immediate";
> try {
> $db->Connect($DSN['database'], $DSN['username'], $DSN['password']);
> $rs = $db->Execute($SQL);
> $db->close();
> header("Location: $invoker");
> exit;
> }
> catch(Exception $e) {
> die($e->getMessage());
> }
> /* If the user get's here we need to display HTML */
> ?>
> <html>
> <head>
> <title>Kill Session</title>
> </head>
> <body bgcolor="#EFECC7" style="text-align:center">
> <h2>Warning: kill session <?php
> echo $_REQUEST['sid'].', '.$_REQUEST['serial']; ?>?</h2>
> <hr>
> <?php
> /* only now do we need a form, so we require it */
> require_once ('HTML/Form.php');
> $form = new HTML_Form($_SERVER['PHP_SELF'], "POST");
> $form->addSubmit("kill", "Yes");
> $form->addSubmit("kill", "No");
> $form->addHidden('sid', $sid);
> $form->addHidden('serial', $serial);
> $form->display();
> /* we had an exit here, let's not begin to tell you why that's bullshit, and
> even very bad */
> }
> ?>
> </body>
> </html>
>
> This took me about 4 minutes with the code you made (no, I haven't checked
> for typo's/copy paste errors). Hell, if you take out the comments and empty
> lines, it's even shorter.
>
> Also, seeing your code my statement:" When using this kind of 'hack' to use
> sessions, possibilities are you use a lot more bad coding practices." has
> proven right. Note this is not a personal attack, it's still only an attack
> on using ob_start() to use sessions/headers, and will now also go one about
> <?= ?> syntax, and a warning to let you HTML tags close if you exit;, unless
> on fatal errors.
>
> If this was alt.html, I'd add that <center> has been deprecated for a very
> long time now, since HTML4.0.....
>
> Grtz,
Better be careful, Rik. You came up with an intelligent argument. Hi
just might plonk you, too! :-)
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|