Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
$_SESSION["db"] = new db($cnf["database_user"],$cnf["database_pass"],$cnf["database"],$cnf["database_host"]);
But is it safe and scalable? I read somewhere (http://digg.com/programming/How_Not_To_ ... ent_in_PHP) that PHP automatically rides MySQL connections on top of each other (does not open one for each request) if the parameters are the same:
Actually... when you make a MySQL connection in PHP, any subsequent connections made with the same parameters ride on top of the first connection (shared). In other words, you can create a bunch of database objects as needed, and they'll all share the same connection.
I did some research on Google, but it seems not many people had the same idea... Perhaps someone could tell me if there's a good reason for that? Thanks in advance.
feyd wrote:The connection is closed after the page request is finished.
Unless it is persistent connection (it seems the article mentioned by OP was about persistent connections).
nutkenz wrote:
It's both very practical and possible...
possible... yes, but practical - I doubt it. Resources can't be serialized, so you would end up writing __sleep() and __wakeup() methods and shift code to establish the connection there.
Weirdan wrote:Unless it is persistent connection (it seems the article mentioned by OP was about persistent connections).
True, the connection is not closed, but the database resource handle is still unusable in subsequent requests, just as with files, images, etc. The fact that the database connection was reused is invisible to the php script. The php db-resource handle is not the database connection, so storing it in $_SESSION is useless.
Weirdan wrote:Unless it is persistent connection (it seems the article mentioned by OP was about persistent connections).
True, the connection is not closed, but the database resource handle is still unusable in subsequent requests, just as with files, images, etc. The fact that the database connection was reused is invisible to the php script. The php db-resource handle is not the database connection, so storing it in $_SESSION is useless.
Useless okay, but is it problematic?
edit: I replaced _SESSION with GLOBALS. Seems to work just as good.