On 11/29/2011 7:40 AM, Nilesh Govindarajan wrote:
On Tue 29 Nov 2011 01:34:08 PM IST, Andreas wrote:

is threre a most advisble way to store db-passwords of an open
As far as I get it, a common login strategy is to let the user login
by name&password, check it, store a login=TRUE as php-session variable
and later use a common dbuser+pw to query data provided "login" is TRUE.

This way one wouldn't have to store the users pw or actually the user
wouldn't have a real db-account but rather an application account.

Is this really better or equal than using real db-accounts?

Should I rather store the db-credentials in a session or cookies?

Session is vulnerable as any host-user could look into /tmp.
This would generally be a trusted few though.

On the other hand cookies could be manipulated by the user or at least
be spied upon on the way between user and web-host everytime the
credentials are needed for a query.

What exactly do you mean by db-account?
I didn't understand your question, but this is what I do in my
applications- When the user submits the login form, validate POST data
(for mischevious stuff) and check if username&  password query works
out successfully. If it does, store a session variable login=true and
let the user work on the private parts of the site.
The cookie essentially, contains just the session id. I never use
cookies to store data, only sessions.
I also add ip and user-agent filtering to my auth systems.

Sounds like $_SESSION buffer is what you need. I use the buffer extensively in most of my designs.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to