On Tuesday, November 25, 2003, at 06:25 AM, anders thoresson wrote:
For the most part, yes, it is fine. Because session variables are maintained on the server, many risks are not a concern.
Ok. So it's more or less safe, at least as long as the server is locked down. But someone, on this list or somewhere else, I don't remember, pointed out that if my site gets a lot of visitors, loading username, password and hostname for MySQL-connections in session variables causes a lot of overhead.
Actually, I said it didn't make sense. Logically, I see NO REASON why MySQL connection information (something common to all users of the site) would be stored multiple times (once for each user) as a session variable. Yes, it's a lot of overhead, but that wasn't my point... it just doesn't make sense.
Additionally,
- if you were to periodically change your passwords (a good idea), all current sessions would have invalid connection info.
- if you've slipped up somewhere and accidently dump your session data to screen (a print_r() debug for example), you'll make those details very public, very quick
- if a user can't maintain a session (no cookies for example), they can't access the databases
So: What's the best way - in terms of security AND performance - to store and access username, password and hostname for my MySQL connections?
<? include('protected/directory/mysql_connect.inc'); ?>
Simple.
Is it the fastest? Is it the most secure? No idea -- but it makes a truckload more sense that storing it in a session. MySQL connection information has nothing to do with each individual user.
Justin French
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
