Posted by Rik on 12/17/80 11:55

Mladen Gogala wrote:
> On Mon, 14 Aug 2006 16:29:56 +0200, Rik wrote:
>
>> Well, on a server you generating and trashing content that didn't
>> need to be build in the first place. Not necessarily an issue, but a
>> huge waste of resources, cpu & memory.
>
> What is a waste of resources? Which part?

You are using memory for buffering that hypothetically could be needed
elsewhere. True, it's a very low usage, but hey, if there are thousands on
your site at once, and your server resources are limited, it might shave of
something.

As long as the code stays readable, why not choose the order & checks that
will keep the use of memory & CPU to a minimum. Don't overdo it, but if
either option is OK, why not choose the easiest on the server?

>> What's the problem with the following flow?
>>
>> 1. start session
>> 2. if form is submitted and answer is yes, destroy session and
>> redirect
>> 3. else show form
>>
>> It will produce a lot less overhead.
>
> The largest single wait is for an Oracle connection to be
> established. I want to postpone that for as long as I can and create
> a connection only
> if necessary.

That has absolutely NOTHING to do with where it is in the script. Surrounded
by a conditional, it could be anywhere, and never be called when it's not
necessary.

As I've yet to set up a testserver here to start to check the
oracle-database, I'll refrain from commenting on the way you use it, but I
doubt wether this construction is safe (could be wrong though):

$sid = $_POST['sid'];
$serial = $_POST['serial'];
$SQL = "alter system disconnect session '$sid,$serial' immediate";
$rs = $db->Execute($SQL);

Is oracle that well build this isn't wide open to attack?

> This script is invoked from a link, and I don't want to
> kill session or establish connection if someone has accidentally
> clicked on the link. The full complement of the scripts is available
> on my page. I'd be grateful if you decide to take a look.

Well, I haven't looked at your page yet, but let's just say this rewrite of
your posted code works perfectly. (which demonstrated further bad coding
practices like <?=$var ?>, exiting without letting your HTML tags close on
form completion....). It's made with simple reasoning: if you have to check
with code what the actual intent of the visitor is, check for the
fastest/easiest things first.

<?php
session_start();
$invoker = $_SESSION['invoker'];

/* I'm not sure what's in here, so I'll put it here:*/
require_once ('config.php');

/* First check: if $sid is not set, all the rest is useless */
if(!isset($_REQUEST['sid'])) die("Kill session: sid cannot be empty!");

/* On a cancel the user will also be directed back asap */
if(isset($_POST['kill'] && strtolower($_POST['kill'])!='yes'){
header("Location: $invoker");
exit;
}
$sid = $_REQUEST['sid'];
$serial = $_REQUEST['serial'];

/* a simple check wether we should delete or display the form: */
if(strtolower($_POST['kill'])=='yes'){
$DSN = $_SESSION['DSN'];
/* If you're that worried about your db-connection, let's make a nice
shutdown: */
function closedb(){
global $db;
$db->close();
}
register_shutdown_function('closedb');

$db = NewADOConnection("oci8");
$SQL = "alter system disconnect session '$sid,$serial' immediate";
try {
$db->Connect($DSN['database'], $DSN['username'], $DSN['password']);
$rs = $db->Execute($SQL);
$db->close();
header("Location: $invoker");
exit;
}
catch(Exception $e) {
die($e->getMessage());
}
/* If the user get's here we need to display HTML */
?>
<html>
<head>
<title>Kill Session</title>
</head>
<body bgcolor="#EFECC7" style="text-align:center">
<h2>Warning: kill session <?php
echo $_REQUEST['sid'].', '.$_REQUEST['serial']; ?>?</h2>
<hr>
<?php
/* only now do we need a form, so we require it */
require_once ('HTML/Form.php');
$form = new HTML_Form($_SERVER['PHP_SELF'], "POST");
$form->addSubmit("kill", "Yes");
$form->addSubmit("kill", "No");
$form->addHidden('sid', $sid);
$form->addHidden('serial', $serial);
$form->display();
/* we had an exit here, let's not begin to tell you why that's bullshit, and
even very bad */
}
?>
</body>
</html>

This took me about 4 minutes with the code you made (no, I haven't checked
for typo's/copy paste errors). Hell, if you take out the comments and empty
lines, it's even shorter.

Also, seeing your code my statement:" When using this kind of 'hack' to use
sessions, possibilities are you use a lot more bad coding practices." has
proven right. Note this is not a personal attack, it's still only an attack
on using ob_start() to use sessions/headers, and will now also go one about
<?= ?> syntax, and a warning to let you HTML tags close if you exit;, unless
on fatal errors.

If this was alt.html, I'd add that <center> has been deprecated for a very
long time now, since HTML4.0.....

Grtz,
--
Rik Wasmus

[Back to original message]