[RESOLVED] question about session_destroy();

nine72

Ok, i am sure that this is an easy question...

I have a set of forms, that a user will go through again and again and again.
My question is this

I am storing the form input in the session var. When the information is submitted and if they receive a successful insert responce I want to blowout the existing session and start a new. If using session_destroy(); is it possible to destroy only the information of the form fields and NOT the user login info ie uid pass and a auth key that is generated when they login...

Oh, and is there anyone out there that does code review...that is not necessarily cheap but inexpensive?

Thanks

bradgrafelman

nine72 wrote:
f using session_destroy(); is it possible to destroy only the information of the form fields and NOT the user login info ie uid pass and a auth key that is generated when they login

session_destroy() isn't selective; as the manual says, it destroys all data in the session. If you wanted to only destroy a portion, you could store all relevant data in an array, such as $SESSION['form_data'], and then at the end you'd simply [man]unset/man that one array element of the $SESSION array, effectively "destroying" the form data while preserving the rest of the session.

nine72 wrote:
Oh, and is there anyone out there that does code review

While you're not guaranteed to be talking to professionals, there is a Code Critique forum here at PHPBuilder you could utilize.

nine72

bradgrafelman thanks for the great reply!!

So if I am following this correctly...

So do something like...

	function StripSpecChar($val) {
	return (preg_replace('/[^a-zA-Z0-9" "-.@]/','', $val));
	}
            foreach ($_POST as $key => $val) { 
            $_SESSION[$key] = StripSpecChar($val); 

        // Generate XML String

then do something like...

unset($session, $this1, $this2, $this3, etc...);

for all 689 form fields...when I toss the user to successfull insert page.

and simply leave out the $log_key where I have the UID, PAS and id key encrypted.

yes no maybe

bradgrafelman

No, something like this:

            foreach ($_POST as $key => $val) {
            $_SESSION['form_data'][$key] = StripSpecChar($val);

Then, to kill it, you'd simply do:

unset($_SESSION['form_data']);

nine72

Thanks again, however, looking at what I am generating over the span of the 20 or so form pages is that everything is within the "form_data" and therefor it is all being unset...

suguestions?

My goal was to store info in a temp mySql db but I am at the top layer of a 3 tier and the security Gods will not let me do so...is rather complex and perplexing at the same time...

Thanks again for the assist.

bradgrafelman

Sorry... I don't understand your last post. You're trying to temporarily store all data submitted via multiple forms, and at the end of the forms when you process the data you want to clear all form data but keep the other session data?

nine72

Actually you are correct…

Let me see if I can expand what this actually is…

This “app” is used to gather new client information and populate a db. The network is in 3 tiers since this is web based it is on the top tier.
Due to the rules of my industry the top tier can not talk to the 3rd tier so I have to go through a middleware app that actually talks to the db. Also, being on the top tier I can not have a db of any sort. So this is what I have going on…

20 forms (number of forms dependant on what is entered on the previous form)
600+ fields (again not all used but could be)
Form access based on user groups and access control (Auth db at 3rd tier)

So I have to gather and store the information from the forms, in this case in the session.
So as a user fills out the forms each field is set in the session, then on the commit action I call this massive xml generator (4000+ lines) to build the xml string to send the info to the middleware app, that intern, checks for errors, business logic, and writes to the db on the 3rd tier. At that time it gives me a successful insert xml string back, I put up a completion page with some info that the user needs to print. They then have the option to add another client, or quit. In ether case, I need to dump the session and the information stored.

Now all that to get to the actual issue of when using destroy_session() it does what it should but I loose the users log_key that lets the system know what agent has entered this client. The log_key is used as part of the insert so that if the agent needs to look at their clients they only see their clients. The log_key is generated at the time of login based on the uid, agent, and branch id encrypted in an md5 and then 3dez.

The unset() is a great idea, but am not sure how to implement it and

 $_SESSION[‘form_data’][$key]

looks like it would work quite well if I can figure out how to use across the forms since each form field I need to do a

 value=" print $_SESSION[‘value_name’]; "

so if they step back the form auto fills with the values of that field….

Again, I have it working with just storing it all in the session but just no way to retain the log_key when we get to the end of the process where I have to kill the session id and the session information.

Whew…If just reading that is painful try having to build to it….ha-ha

nine72

Well this may all have been for not.
I have a meeting with the network and security people in the morning to once again argue my case for at least ONE database to handle the infromation being entered...

IF it goes well will close this Thread...

Thanks for the views and assistance...