|
|
Posted by Erwin Moller on 02/18/07 11:50
Mitul wrote:
>
> Thanks Erwin,
>
> Can you help me more and suggest some good idea? So I can figure out
> things fast.....
>
> Hope that you will help me...
Well, when I first faced the situation in PHP you are in now (how to check
who is online), I found after a litlle studying that database-storage of
sessions is a good approach.
If you want to do that to, you must do the following:
1) Read up at www.php.net on sessions, mainly the part about own
sessionhandlers.
2) Google a little, at ZEND they have a few examples with code ready-to-go.
(I must warn you that the ZEND code is NOT perfect. It doesn't adres
simultanious requests to the same session as I should). But this code will
surely show you HOW things are handled.
3) Pay attention to the straightforward sessiontable.
It will roughly look like this:
CREATE TABLE tblsession(
sessionid TEXT PRIMARY KEY,
lastaccesdate datetime NOT NULL,
userid INTEGER,
sessiondata TEXT
)
Where:
- sessionid holds an unique value for each session your application creates.
This can simply be the PHP generated PHPSESSID.
- lastaccessdate is a field you update each time you use that session.
- userid is something I added for ease of lookup if a user is online.
(It contains a userid that I don't explain any futher, but you can think up
something that makes sense in your case.)
- sessiondata is the field that actually contains the sessiondata. PHP
delivers the content of this field to you, so you don't have to do the
encoding yourself.
Good luck.
One warning: I saw a lot of bad code on the net regarding databasestorage of
sessions.
Most people tend to forget that the PHPSESSID is dangerous to use straight
in the queries because it comes from a cookie (or URL), and thus from the
client, and thus could not be trusted (SQL-injection).
You'll have to sanitize the PHPSESSID everywhere you use it (and that is
almost everywhere in databasestorage queries for sessions.)
Just call addslashes() if needed. (Or mysql_real_escape(), or whatever suits
your SQL-injection defense strategy.) Even in O'Reilly books I saw that
mistake, and at ZEND too. It seems everybody is collectively forgetting to
sanitize the PHPSESSIONID. :-(
Regards,
Erwin Moller
>
> Regards,
> Mitul Patel.
Navigation:
[Reply to this message]
|