|
|
Posted by Mitul on 02/19/07 11:03
Thanks a lot Erwin.
I am implementing things as per you suggestion. I will know you if I
have any problem or I got any success.
Thx,
Mitul Patel.
On Feb 18, 4:50 pm, Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spamyourself.com> wrote:
> Mitul wrote:
>
> > Thanks Erwin,
>
> > Can you help me more and suggest some good idea? So I can figure out
> > things fast.....
>
> > Hope that you will help me...
>
> Well, when I first faced the situation in PHP you are in now (how to check
> who is online), I found after a litlle studying that database-storage of
> sessions is a good approach.
>
> If you want to do that to, you must do the following:
> 1) Read up atwww.php.neton sessions, mainly the part about own
> sessionhandlers.
> 2) Google a little, at ZEND they have a few examples with code ready-to-go.
> (I must warn you that the ZEND code is NOT perfect. It doesn't adres
> simultanious requests to the same session as I should). But this code will
> surely show you HOW things are handled.
>
> 3) Pay attention to the straightforward sessiontable.
> It will roughly look like this:
>
> CREATE TABLE tblsession(
> sessionid TEXT PRIMARY KEY,
> lastaccesdate datetime NOT NULL,
> userid INTEGER,
> sessiondata TEXT
> )
>
> Where:
> - sessionid holds an unique value for each session your application creates.
> This can simply be the PHP generated PHPSESSID.
> - lastaccessdate is a field you update each time you use that session.
> - userid is something I added for ease of lookup if a user is online.
> (It contains a userid that I don't explain any futher, but you can think up
> something that makes sense in your case.)
> - sessiondata is the field that actually contains the sessiondata. PHP
> delivers the content of this field to you, so you don't have to do the
> encoding yourself.
>
> Good luck.
>
> One warning: I saw a lot of bad code on the net regarding databasestorage of
> sessions.
> Most people tend to forget that the PHPSESSID is dangerous to use straight
> in the queries because it comes from a cookie (or URL), and thus from the
> client, and thus could not be trusted (SQL-injection).
> You'll have to sanitize the PHPSESSID everywhere you use it (and that is
> almost everywhere in databasestorage queries for sessions.)
>
> Just call addslashes() if needed. (Or mysql_real_escape(), or whatever suits
> your SQL-injection defense strategy.) Even in O'Reilly books I saw that
> mistake, and at ZEND too. It seems everybody is collectively forgetting to
> sanitize the PHPSESSIONID. :-(
>
> Regards,
> Erwin Moller
>
>
>
> > Regards,
> > Mitul Patel.
Navigation:
[Reply to this message]
|