--- anders thoresson <[EMAIL PROTECTED]> wrote: > > For the most part, yes, it is fine. Because session variables are > > maintained on the server, many risks are not a concern. > > Ok. So it's more or less safe, at least as long as the server is > locked down. But someone, on this list or somewhere else, I don't > remember, pointed out that if my site gets a lot of visitors, loading > username, password and hostname for MySQL-connections in session > variables causes a lot of overhead.
I'm not sure that I agree with this (I'm not positive that it's wrong either, but I find it hard to believe). If you're already using sessions, and PHP is already fetching session data from the session data store for each visit, it seems like a negligible amount of overhead to me to have a bit more stored in the session. Perhaps they were speaking about storing this information in cookies (which would make a larger performance difference in addition to creating a security vulnerability)? > So: What's the best way - in terms of security AND performance - to > store and access username, password and hostname for my MySQL > connections? David Sklar and Adam Trachtenberg (two smart guys who authored the PHP Cookbook) suggest storing this information in the Web server's environment. So, for Apache users, you would have something in httpd.conf (or a .access file) that sets variables for your database connection information. As long as you don't have any phpinfo() calls hanging around exposing the environment variables to anyone who loads the page, this seems pretty secure to me. It also seems like a very efficient method. You might want to consider it. > > PHP Security Handbook > > Coming mid-2004 > > Nice. From which publisher? O'Reilly and Associates. :-) Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
