[SOLVED] simple question about security with PHP Sessions

[pkedpker]

I'd like off by saying hello guys.

 

Okay now down to the actual question I actually knew this back at 2004.. I quit PHP then now im back and addicted

 

 

session_start(); is set at start of index.php which has login.php included

 

inside login.php

It checks if user is logged in blah blah does all that sql queries and checking etc.. then it finally does

			session_register('username');
			$_SESSION['username'] = $name;
			session_register('id');
			$_SESSION['id'] = $id;
			session_register('email');
			$_SESSION['email'] = $email;

 

then it somewhere in the page lets say it lets a person change his email.. or password it uses the SESSION['id'] and SESSION['email] which is rigged right into the SQL Query I know all about injections I did them myself but I want to know if this is safe.

There is no way someone can edit that id in session right? it is server side? (i was thinking session is somehow related to cookies.. hopefully its not because cookies are client-side and I could even edit those.

 

$id = $_SESSION['id'];
$sql = 'SELECT members.id, members.name, email, ranks.name AS rank, fname, lname, birthday, location '
	. 'FROM bcs_members, bcs_ranks WHERE members.rank = ranks.id AND members.id = ' . $id . ' ORDER BY `order`';
$result = mysql_query($sql)  or die(mysql_error());
while($r=mysql_fetch_array($result))
{
blahblah

 

is that safe using  $_SESSION['id'];  like that? when a person logs in  id is set to the database key relating to that user.

 

 

OffTopic.

 

I'd like to also know after I do the mysql_connect must I close mysql by doing mysql_close(); or not I dont believe its a persistent connection. My belief is it's not needed to do mysql_close(); since the connection only lasts when the phpcgi is running and once the page is rendered it's terminated instantly closing all resources/mysql etc.. so mysql_close(); is just overhead that I don't need

 

[jacksonmj]

session_register is deprecated as of PHP 5.3.0 and removed as of PHP 6.0.0.

$_SESSION['username'] = $name; is all you need to do to store something in $_SESSION.

 

 

A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.

 

Session data is stored on the server, and the session id identifies which set of session data belongs to that visitor. So there is no way, unless your code specifically allows it, for visitors to edit session data. They might be able to use someone else's session, but they can't edit the actual session data.

 

However, it is good practice to escape all data that goes into a SQL query, regardless of whether you think the data is safe or not.

 

 

Regarding mysql_close, read the PHP manual - you are correct.

 

 

[PFMaBiSmAd]

session_register was actually depreciated and disabled in php4.2 in the year 2002 when register_globals were turned off by default.

[jacksonmj]

 

The info I gave was straight from the PHP manual entry for session_register. As far as I can gather from the manual:

 

$_SESSION was preferred since 4.1.0 (when $_SESSION was introduced).

session_register disabled by default since 4.2 (due to register_globals turned off by default, like you say)

session_register deprecated since 5.3.0

session_register removed in 6.0.0

 

Disabled by default is not necessarily the same as deprecated...

 

 

However, I must admit that you are quite right to criticise me - session_register has been the wrong way to do sessions for much longer than I implied in my original post.

 

 

[pkedpker]

lol yup solved..