Suggest me a secure way of coding to take a value...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
navindhar
Forum Newbie
Posts: 6
Joined: Fri Sep 14, 2007 10:59 am

Suggest me a secure way of coding to take a value...

Post by navindhar »

Hi,

I am getting signUp details in a page (Firstname, Lastname, Username, Password, etc..,) and I am storing it in a database table, username as a primary key. After that, I am getting social profile details, work profile details and storing it in a tables, username as a primary key in each tables. Here I am using SESSION VARIABLE in each page(social profile page and work profile page) to redrive and store username.

But my project leader, not accepting this kinda coding. He is saying that no data security, like that... So anyone of you suggest me a secured way of coding to take data from my signup page to social and work profile pages.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Sessions are the most secure way to transfer information across pages as they aren't transmitted to the user, therefore cannot be manipulated (directly) by them. However they can be stolen. There's no absolute protection against this. Regenerating the session id on a regular basis helps alieviate fixation issues. Using a user id is generally better for the foreign keys as the user id isn't likely to change whereas the username may. The only other, fairly secure option is having them relogin on those pages thereby not requiring sessions at all. However this usually isn't the best user experience. Users will most likely complain about this form.
User avatar
maliskoleather
Forum Contributor
Posts: 155
Joined: Tue May 15, 2007 2:19 am
Contact:

Post by maliskoleather »

feyd wrote:However they can be stolen.
just to add onto that, most of the time when they are stolen, its on a shared server where the session is stored in a root folder. On top of the other measures listed above, saving session data in a non-public folder will prettymuch tighten the session security so much that its not too much of a concern.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It's preferred to shift the session storage to the database if possible (most often is.)
Post Reply