Page 312 - Beginning PHP 5.3
P. 312
Part III: Using PHP in Practice
Because you know that the start field will only ever contain digits, there ’ s no need to URL - encode the
values in this situation. However, if there ’ s any chance that your field values might contain reserved char-
acters, you should use urlencode() or http_build_query() as discussed earlier in the chapter.
Working with Cookies
So far you ’ ve looked at query strings and, in the previous chapter, hidden form fields as ways to
preserve an application ’ s state between browser requests. Though perfectly adequate for small amounts
of temporary data, these techniques become unwieldy when you need to store larger amounts of data for
longer periods of time. For example, say you wanted to allow each user to choose a font size for
displaying the text on your Web site. Once the user had chosen the size, you ’ d need to pass this value —
whether in a hidden form field or in a query string — between every single page request on the Web site,
so that your application could read the value and set the font size for each page. Clearly this would be
arduous to implement.
Cookies are a somewhat more sophisticated approach to this problem. A cookie lets you store a
small amount of data — no more than 4KB — within the user ’ s browser itself. Then, whenever the
browser requests a page on your Web site, all the data in the cookie is automatically sent to the server
within the request. This means that you can send the data once to the browser, and the data is
automatically available to your script from that moment onward.
You can make a cookie last for a fixed amount of time — anywhere from a few seconds to several years
if you like — or you can set a cookie to expire once the browser application is closed. Most modern
browsers can store up to 30 cookies per Web site domain.
Although cookies are somewhat more secure than using query strings — for example, a browser will (by
default) only send cookies back to the Web site that created them — they are still easy for attackers to
tamper with. Therefore you shouldn ’ t rely on the data in cookies alone to identify or authenticate your
users. Furthermore, it ’ s easy to turn off cookie support in most browsers, and many folks do so. This
means that your Web site shouldn ’ t rely on cookies for essential functionality — or, if it does, it should
prompt the user to enable cookies for your Web site if necessary.
However, if you need to store non - critical data, such as user preferences, on an ongoing basis, then
cookies are a useful tool.
Here ’ s a tip: most browsers let you view, as well as delete, any cookies stored by the browser. This can be
very useful for debugging your cookie - based scripts. For example, in Firefox choose Edit Preferences
(Firefox Preferences on the Mac), then choose Privacy and click the Show Cookies button.
Cookie Components
A cookie is sent from the server to the browser as part of the HTTP headers. Here ’ s an example of an
HTTP header to create a cookie:
Set-Cookie: fontSize=3; expires=Tuesday, 6-Jan-2009 17:53:08 GMT; path=/;
domain=.example.com; HttpOnly
274
9/21/09 9:05:10 AM
c10.indd 274
c10.indd 274 9/21/09 9:05:10 AM
