Re: [SLUG] PHP/MySQL security

From: James Bennett (jaben55@yahoo.com)
Date: Wed Sep 21 2005 - 19:40:07 EDT

Next message: Craig Zeigler: "Re: [SLUG] Web Based Time Tracking"
Previous message: mark@bish.net: "RE: [SLUG] Web Based Time Tracking"
In reply to: Paul M Foster: "[SLUG] PHP/MySQL security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Have you looked into writing your own sql session handler?

This allows you to control whether or not the session variables are stored on the server or on the client. I preffer to store the session on the server. This precludes a unsavory user from forging the cookie variables and gaining access to the site.

If you are interested in this type of solution Email me jaben55@yahoo.com and I'll provide more information.

James Bennett

Business Functionality

Paul M Foster <paulf@quillandmouse.com> wrote:
I'm analyzing a site that we're taking over from someone else. Heavy use
of PHP and MySQL. Many of the pages allow people at the company to add,
delete and change items in the MySQL tables. When someone logs in to get
to this section of the site, PHP queries the MySQL tables to determine
if this person has the appropriate privileges, and shows them the page
they've requested.

But here's the thing: at the top of every page, PHP queries the MySQL
tables _again_ to determine if the user (passed in session variables)
has the appropriate privileges, etc. Isn't there a simpler, less costly
(computer time) way to do this? Seems like there ought to be some way to
pass a session variable (or something) along and query that in each
page, without having to go back and check the tables for privileges each
time you load a page.

Any ideas?

-- Paul M. Foster ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.

----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.

Next message: Craig Zeigler: "Re: [SLUG] Web Based Time Tracking"
Previous message: mark@bish.net: "RE: [SLUG] Web Based Time Tracking"
In reply to: Paul M Foster: "[SLUG] PHP/MySQL security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:09:50 EDT