Is it safe to store the value in a session variable and make queries on the value?

Question

Is it safe to store the value in a session variable and make queries on the value?

I have a website where the username is stored in a session variable at login. I am wondering if it is possible to make requests from the value stored in this session variable?

+3

php prepared-statement session-variables

mcbeav Feb 16 '11 at 19:08

source share

5 answers

, . , ( - ). - , , ( , $foo = 'bar';). - , ...

+2

ircmaxell 16 . '11 19:14

, , , . , , ; .. .

, SQL- , , , . , -, . , .

+2

eykanal 16 . '11 19:14

.

, , (HTTPS), - (cookie, , .)

, , , .

, :

, , SQL-, SQL.

+1

AdamJonR Feb 16 '11 at 19:28

source share

in fact, it’s safe to use any variable in an SQL query if you follow the syntax and security rules.

And the data source has nothing to do here. Regardless of whether it is a session or file, or an RPC request or POST data. All data is equal for the request and should always be processed the same.

I know this is hard to understand, but it is very important, so at least give it a try.

+1

Your common sense Feb 16 '11 at 19:29

source share

Adele · Accepted Answer · 2011-02-16T19:11:27+0000

yes , the session is stored on the server side.

instead of saving the username, you can save the user ID (int) so that it takes up less server space. Remember that you must handle CSRF and session capture

Is it safe to store the value in a session variable and make queries on the value?

More articles: