Re: [SLUG] PHP/MySQL security

From: aaron steimle (asteimle@washpat.com)
Date: Wed Sep 21 2005 - 07:59:44 EDT


Paul M Foster wrote:

>I'm analyzing a site that we're taking over from someone else. Heavy use
>of PHP and MySQL. Many of the pages allow people at the company to add,
>delete and change items in the MySQL tables. When someone logs in to get
>to this section of the site, PHP queries the MySQL tables to determine
>if this person has the appropriate privileges, and shows them the page
>they've requested.
>
>But here's the thing: at the top of every page, PHP queries the MySQL
>tables _again_ to determine if the user (passed in session variables)
>has the appropriate privileges, etc. Isn't there a simpler, less costly
>(computer time) way to do this? Seems like there ought to be some way to
>pass a session variable (or something) along and query that in each
>page, without having to go back and check the tables for privileges each
>time you load a page.
>
>Any ideas?
>
>
>
You can pass it to a cookie or pass it as a hidden post object.
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:08:41 EDT