advice needed - dynamic database manipulation

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
vurentjie
Forum Newbie
Posts: 3
Joined: Fri Feb 15, 2008 8:52 am

advice needed - dynamic database manipulation

Post by vurentjie »

hi,
i am creating a website that includes a member login, and a dynamic page that a registered member can change and update once she/he/it is logged in,

the questions that i need to ask relate to a few issues:
some are more about security and potential problems that may arise depending on the solutions i choose,
whether my solutions are viable,

-- i have already built my 'SECURE' login page that sends a registered user to his respective page
and enables his session,

-- each user has his information stored in mysql database entries and the page content is drawn from
this database,

-- the user has options to change edit his page content (i.e manipulate his database entries) online

Obviously at some point a database update must occur, the questions I want to ask (and maybe I am being paranoid and my question is silly),

from a technical security point of view what are the pros and cons of the following two methods?

method 1)
---->the user logs in----->sessions starts------->data is collected from database and converted into session variables ------>it is these session variables which populate the page content--------->user makes changes which dynamically change the session variables and therefore the page content (but do not alter the database yet)---------->at the end of session(when user logs off), the session variables are used to update the database------>next time user logs in his page reflects changes made to database

method 2)
----->user logs in------>session starts------->the users unique session variable is used to collect data from the database------>the page content is populated with directly with database content-------->the user makes changes to his page, these changes instantly update(write to)the database and are refreshed on the page----->at the end of session(when user logs off) his database is already updated so there is no need to use any session variable to update database------>next time user logs in his page is as she/he last left it

As can be seen there is a slight difference in the way the database is updated, this is the first site of this scope that i am building and these are the two methods that i have formulated so far.

The advantage of using method 2 is that the because the database is updated instantly as a change is made, there is no need to worry if something goes wrong when the user logs out so that the database isn't updated correctly.

The advantage of method 1 is that the database isn't constantly being hit by users who are changing their page content, and the update is a once off write that is completed only when the user has logged off, so 'bad people' can't stay on the page that has database access and do funny things with it (if this makes sense).

Anyhow this is where I am at, I don't even know of any other alternatives, this is what I have formulated and that I know I can put into working code.

If anybody can offer some insight into my query or have knowledge of other solutions or improvements that would be much appreciated.
User avatar
liljester
Forum Contributor
Posts: 400
Joined: Tue May 20, 2003 4:49 pm

Re: advice needed - dynamic database manipulation

Post by liljester »

from a technical security point of view what are the pros and cons of the following two methods?
Security wise, there is virtually no difference.

Technically, method 2 would probably incur a little more database activity than method 1. however, method 1 has the posibility of data loss in the case of a closed browser, or user didnt "logout". and having to log out and back in to see changes is kind of lame.

I would choose method 2.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: advice needed - dynamic database manipulation

Post by Christopher »

I would choose 2 unless you can require your users to formally log-out. Many users just leave without logging-out.
(#10850)
Post Reply