Is storing a database connection in $_SESSION bad practice?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
nutkenz
Forum Contributor
Posts: 155
Joined: Tue Jul 19, 2005 12:25 pm

Is storing a database connection in $_SESSION bad practice?

Post by nutkenz »

It sure make things easy:

Code: Select all

$_SESSION["db"] = new db($cnf["database_user"],$cnf["database_pass"],$cnf["database"],$cnf["database_host"]);
But is it safe and scalable? I read somewhere (http://digg.com/programming/How_Not_To_ ... ent_in_PHP) that PHP automatically rides MySQL connections on top of each other (does not open one for each request) if the parameters are the same:
Actually... when you make a MySQL connection in PHP, any subsequent connections made with the same parameters ride on top of the first connection (shared). In other words, you can create a bunch of database objects as needed, and they'll all share the same connection.
I did some research on Google, but it seems not many people had the same idea... Perhaps someone could tell me if there's a good reason for that? Thanks in advance.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The connection is closed after the page request is finished.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Maybe a safety issue could be that on shared hosts sessions might be read by others? (as far as I know)
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

how about not practical or impossible?
nutkenz
Forum Contributor
Posts: 155
Joined: Tue Jul 19, 2005 12:25 pm

Post by nutkenz »

Hockey wrote:how about not practical or impossible?
It's both very practical and possible... I tried replacing SESSION with GLOBALS, but now I get an error in some functions and classes:

Notice: Undefined variable: _GLOBALS in /usr/home/public_html/testing/classes/FeedManager.php on line 73
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

nutkenz wrote:
Hockey wrote:how about not practical or impossible?
It's both very practical and possible... I tried replacing SESSION with GLOBALS, but now I get an error in some functions and classes:

Notice: Undefined variable: _GLOBALS in /usr/home/public_html/testing/classes/FeedManager.php on line 73
$GLOBALS not $_GLOBALS
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

feyd wrote:The connection is closed after the page request is finished.
Unless it is persistent connection (it seems the article mentioned by OP was about persistent connections).
nutkenz wrote: It's both very practical and possible...
possible... yes, but practical - I doubt it. Resources can't be serialized, so you would end up writing __sleep() and __wakeup() methods and shift code to establish the connection there.
User avatar
dbevfat
Forum Contributor
Posts: 126
Joined: Tue Jun 28, 2005 2:47 pm
Location: Ljubljana, Slovenia

Post by dbevfat »

Weirdan wrote:Unless it is persistent connection (it seems the article mentioned by OP was about persistent connections).
True, the connection is not closed, but the database resource handle is still unusable in subsequent requests, just as with files, images, etc. The fact that the database connection was reused is invisible to the php script. The php db-resource handle is not the database connection, so storing it in $_SESSION is useless.
nutkenz
Forum Contributor
Posts: 155
Joined: Tue Jul 19, 2005 12:25 pm

Post by nutkenz »

dbevfat wrote:
Weirdan wrote:Unless it is persistent connection (it seems the article mentioned by OP was about persistent connections).
True, the connection is not closed, but the database resource handle is still unusable in subsequent requests, just as with files, images, etc. The fact that the database connection was reused is invisible to the php script. The php db-resource handle is not the database connection, so storing it in $_SESSION is useless.
Useless okay, but is it problematic?

edit: I replaced _SESSION with GLOBALS. Seems to work just as good.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Since it's useless, it's problematic by default... (It's only purpose is to confuse other developers)
Post Reply