Hi there Orangutang,

>>And the best way to do this is to create a session var for that user by which you can filter the query so only show their orders.

Sounds about right to me, though you would need to have the ability to have the "remember me" functionality should they close their browser or come back after a few days, but you should specify that this option is not good on shared computers ;)

So $_SESSION and optionally $_COOKIE, I use $_SESSION to get usernames & see where a user is in relation to a site map etc...

Where you can try not to pass too much info, especially sensitive stuff through the URL, personally $_SESSION seems more secure and easier to use.

Dont forget though, that $_SESSION only last for around 25 mins (but you can change that using ini_set()) once the user has left your website.

Cheers,
MRb

Hi Matt,

Thanks for the advice, at least I know I what I'm trying to do is correct even if the way I'm trying to do it isn't yet :-)

If you've got time I don't suppose you could be a mate and check out my reply to your reply on last nights post. I wrote my reply this morning:

Q - Logged in session user to filter return from table- 10:39 am on July 16, 2010

Many thanks

I'm not sure I fully understand the reasons behind the question, but a bit of info you need to be aware of here:

And the best way to do this is to create a session var for that user by which you can filter the query so only show their orders.

In review of the below, you may understand it's not so much "the best" way but "most convenient" and still has areas in which it may break.

I know theres pass data via url but visibility in the browser negates some uses.

How so? Query strings are always reliable.

You need to know that sessions are inherently cookie based. When you start a session, the PHPSESSID cookie is set in the browser. Try it sometime, start a session, then look for and delete your PSPSESSID cookie. Your session will be gone.

You can inherently fall back on the query string if a cookie cannot be set

script.php?PHPSESSID=1234567890

but most programmers don't do this. This demonstrates two things: query strings will always be more reliable than cookies, and sessions are only as good as cookies or the programmer with the foresight to build in degradation without cookie support.

I know this seems to be an esoteric point for most people, but more and more users are being hacked. Once this happens, they go into total paranoia mode. They don't understand the technology, and learn to fear everything, disabling cookies, Javascript, Flash, and anything else someone tells them will protect them. Additionally, many devices - search engines among them - can't execute Javascript, Flash, and don't support cookies. While saying "that's only .001% of our visitors" gets it off your desk, that .001% adds up to a lot of people and a lot of money, and their dollars are as good as anyone else's.

So yes, while sessions are the most common and convenient way, you always, always, always have to include Murphy's Law into anything you do.

Hi there rocknbil,

Yes, good point(s) well made there, I must admit though I do pass session data through the URL sometimes, as $_GET'ing info is an easier way to do things (it's set and there, you may as well use it ;)), but when I do this, I .htaccess/mod_rewrite to make the url search engine friendly & partly to conceal the technology behind the request.

But I have since learnt that even doing that doesn't hide detail for the more advanced would be hacker - if they want to find something they can and will.

Yes, I noticed a good while back that PHPSESSID was logged in my cookie list, and when I deleted it thinking "I don't recall setting that", the current session I had been working on was gone.

Cheers,
MRb

Thanks guys, your advice is extremely useful. I would like to build the site with a professional php structure and implementation. All your advice is perfect.

I think I may get back to the books for a bit, I have at least learnt what I don't know!

Thanks again