Page 2 of 2

Re: Cannot modify header information - headers already sent

Posted: Mon May 19, 2008 3:04 pm
by VladSun
Jade wrote:The problem with setting it in a session is that you're then sending that information back and forth over the internet in packets. If you're going to keep doing that then I suggest you encrypt everything.
@Jade - $_SESSION is server-side data...

@tua1 - keeping DB connection parameters in $_SESSION ... doesn't make any sense. Why would you want to do this? Jade's suggestion is far better :)

Re: Cannot modify header information - headers already sent

Posted: Mon May 19, 2008 3:20 pm
by Jade
Yes, session data is server side but it's still sent back and forth in packets when you initially set the values....

Re: Cannot modify header information - headers already sent

Posted: Mon May 19, 2008 3:38 pm
by onion2k
Jade wrote:Yes, session data is server side but it's still sent back and forth in packets when you initially set the values....
No it isn't. A cookie with the session id is sent to the user once when they first hit the page and their session starts, but after that no session information is ever sent to the client.

Re: Cannot modify header information - headers already sent

Posted: Mon May 19, 2008 3:54 pm
by Jade
Ahh. My bad. Still not a good idea to store DB info in a session imo.

Re: Cannot modify header information - headers already sent

Posted: Tue May 20, 2008 9:03 am
by tua1
Thank you very much for yours explanations.

I have another problem with my site.

Anybody who enters my site connect with database with a default user:

Code: Select all

 
<?php $host = "localhost";
$user = "test";
$pass = "test";
$dbname = "shop";
 
$connection = mysql_connect($host,$user,$pass) or die (mysql_errno().": ".mysql_error()."<BR>");
mysql_select_db($dbname); ?>
 
I have specified privileges for user "test" in phpmyadmin: select and insert.

Witout registration, the guest (test) user cannot buy anything, etc.
In my register.php I want to grant additional privileges for registered user(select, insert, update, delete) ex:

Code: Select all

$query3= "GRANT SELECT, INSERT, UPDATE, DELETE "
    ."ON shop.* "
    ."TO ".$arVals['login']." IDENTIFIED BY ".$arVals['pass1']."; "
.
.
.
.
$result1 = mysql_query($query3) or die("Invalid query: " . mysql_error() . "<br><br>". $query3);

But for this I have to add grant privilege for user test, which is not safe:/

I don't know what I have do with this problem.

I hope you understand me.

Any advice??

Regards

Re: Cannot modify header information - headers already sent

Posted: Tue May 20, 2008 9:14 am
by onion2k
Don't add a new MySQL user for every user in your site. That's crazy, and completely unnecessary. Ideally you want 2 MySQL users - one basic one that can only select things (your test user), and another higher level one that has more privs for registered users. When the script runs choose which user to connect to the database with depending on the current site user's session.

Most people don't bother with that mind you and just use 1 MySQL user with all the necessary privs. It's a lot easier to code.

Re: Cannot modify header information - headers already sent

Posted: Tue May 20, 2008 9:41 am
by tua1
onion2k wrote:Don't add a new MySQL user for every user in your site. That's crazy, and completely unnecessary. Ideally you want 2 MySQL users - one basic one that can only select things (your test user), and another higher level one that has more privs for registered users. When the script runs choose which user to connect to the database with depending on the current site user's session.

Most people don't bother with that mind you and just use 1 MySQL user with all the necessary privs. It's a lot easier to code.
Thanks for your reply, so test user privileges: select, insert, update, delete <- this is a easiest way.

And maybe if I want 2 user, basic test(select, insert), and registered(select, insert, update, delete) I can do if statement that check if user is logged in, and if true change the values of connection.php

Am I right?

Regards

Re: Cannot modify header information - headers already sent

Posted: Tue May 20, 2008 1:36 pm
by Christopher
You understand that by creating different MySQL users that you are protecting yourself from yourself, not protecting your self from your users. These user privileges limit the SQL statements that your code can execute. If you want to use a different user with less privileges for the main code than in the admin area, then you are simply protecting yourself from doing something stupid in the main code.

If you don't want the users to be able to perform certain functions, you will need to program that Access Control into your program.

Re: Cannot modify header information - headers already sent

Posted: Wed May 21, 2008 6:37 am
by tua1
Thanks for your reply.