using PEAR in security methods

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mahoutekiyo
Forum Newbie
Posts: 2
Joined: Thu May 08, 2008 9:30 pm

using PEAR in security methods

Post by mahoutekiyo »

referring to http://www.devshed.com/c/a/PHP/Creating ... in-Script/

it took me awhile to fully understand this code and although I can follow the code okay, I feel like this is a round about approach, especially since my provider does not make use of PEAR on their server.

Initially I decided to make a class that uses a method to make a connection to the database with normal php functions and assign that connection to a member of that class and make several other methods that return necessary information from the database.

For example

Code: Select all

$check = $obj->check($username, $password); 
if($check == true){ // print page }
else { header("location: login.php"); }
would access a method to make the user data mysql safe, check the info against that in the db and if true, set all the session/user data and return a boolean value. Now, however, after looking at the code at the link I provided, I started thinking to myself they may have a better approach but I don't know if using objects within objects to establish session and user data is really all that necessary.

Any thoughts or opinions on the subject would be greatly appreciated.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: using PEAR in security methods

Post by Mordred »

That class is not among the best examples of good coding, but if you remove the dubious use of serializing in a cookie, it looks okay.
You can use PEAR by just manually copying the folder structure with the required files in a PEAR subdirectory on your server.
Your login class definitely shouldn't connect to the database itself. Make it accept a connection from outside.
I don't understand the rest of your question/comment.
mahoutekiyo
Forum Newbie
Posts: 2
Joined: Thu May 08, 2008 9:30 pm

Re: using PEAR in security methods

Post by mahoutekiyo »

Thank you Mordred. I appreciate the input, and will definitely follow your advice.

Why is it a bad idea to use a class to connect to your database?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: using PEAR in security methods

Post by Mordred »

Have one database connection per page request. Not only your login class will want to use the database - it's better to open one connection, and then pass it around.
Post Reply