notepad Posted April 20, 2007 Share Posted April 20, 2007 Hey, Recently I decided to make a login script for my site using PHP and MySQL, after some reading/talking I came to the conclusion that constants are more secure. It is going pretty good, there have been some rough spots, mostly because of the lack of variables. So after all this trouble of not using variables... I read this: http://frenchfragfactory.net/ozh/archives/2006/06/01/php-variables-vs-constants/ So, my question to you is, since constants seem to be a lot slower... Are they really anymore secure? I also was told by someone recently that I should be using cookies instead of sessions, because cookies are more secure? Any thoughts on these issues are welcome. Thanks, Brandon Link to comment https://forums.phpfreaks.com/topic/47832-constants-vs-variables/ Share on other sites More sharing options...
Glyde Posted April 20, 2007 Share Posted April 20, 2007 If you want to get technical, sessions are more secure. Sessions cannot have their raw data edited by the client, whereas cookies easily can. However, sessions run on cookies, as a PHPSESSID cookie has to be stored on the client's computer so PHP knows what session file to grab their data from. Sessions, however, may be accessed by users that they were not intended to be used for. As for constants, they are replaced in the code for their value at the beginning of script execution. They are also automatically global. Variables are run through an algorithm each time to determine its current value. And yes, they are slightly more secure, while being slower. Link to comment https://forums.phpfreaks.com/topic/47832-constants-vs-variables/#findComment-233716 Share on other sites More sharing options...
per1os Posted April 20, 2007 Share Posted April 20, 2007 To be honest on the constant variable deal. You will not notice the speed difference unless you are calculating in like nanoseconds of a difference. Constants should only be used where appropriate. Such as a constant TABLE NAME that may be changed. You would not want to store a DB CONNECT USERNAME as a constant because you would want that data nullified after use etc. It all depends on what is required. Constants can be very handy. Link to comment https://forums.phpfreaks.com/topic/47832-constants-vs-variables/#findComment-233767 Share on other sites More sharing options...
notepad Posted April 27, 2007 Author Share Posted April 27, 2007 Frost: You say I do NOT want to use constants for db info? As I currently am setup I use constants for all database information. Variables are 'nullified' after use, could you be a little more specific on what happens to them? Are they destroyed? Glyde: If constants are "globals", doesn't that automatically make them less secure? Everything I have read has always talked bad about "globals". As for the PHPSESSID cookie, could this cookie be edited to access another session file? So, for example, could someone change their cookie to reflect my admin cookie and then get admin rights? Link to comment https://forums.phpfreaks.com/topic/47832-constants-vs-variables/#findComment-240128 Share on other sites More sharing options...
per1os Posted April 28, 2007 Share Posted April 28, 2007 IE: <?php $config['dbname'] =""; $config['username'] = ""; $config['host'] = ""; $config ['password'] = ""; mysql_connect($config['host'], $config['username'], $config['password']); mysql_select_db($config['dbname']); $config = null; // that way no accidental access is given. ?> Thats what I always do, just my preference. I don't want to use the config variable and accidentally echo it out. Link to comment https://forums.phpfreaks.com/topic/47832-constants-vs-variables/#findComment-240646 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.