On Wed, Jul 22, 2009 at 8:36 AM, Ashley
Sheridan<a...@ashleysheridan.co.uk> wrote:
> But *how* does it offer more security? You've not actually mentioned
> that!

One way would be to encapsulate data access in stored procedures and
deny direct table access on the session data. That way, even though
the PHP account has access to the database where all sessions are
stored, it can only call a ReadSession procedure that requires the
session_id() as a parameter. That way, PHP would have to know the ID
of the session and could not simply SELECT * FROM sessions.

However, I haven't found many examples that use stored procedures.
Most just use regular INSERT/SELECT/UPDATE/DELETE statements, which
means that the PHP user has full access to the entire table. In that
case, it's no more trivial to scan the session table than it is to
scan the session save path looking for interesting stuff.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to