NYCPHP Meetup

NYPHP.org

[nycphp-talk] Storing User Controlled Configs

Mark Armendariz nyphp at enobrev.com
Tue Sep 7 00:59:10 EDT 2004


> My questions are:
> 1. Would it be better to query the table on every page load?
> 2. What are the drawbacks if any of using session vars to 
> store configs?
> 3. Is there a better method?
> 4. Is it proper to call session vars from within a function, 
> or should the the session vars be passed to the variable when 
> the function is called?


It can be 'dangerous' to keep all configuration vars in the session as
session variables are easily edited by anyone who has the time to find out
how via google.  If your config vars are controlling color schemes and such,
not such a big deal.  But if your config vars have more personal
information, this could prove to be a problem.  

In my reading from Mr. Shiflett and a few others who evangelize the
importance of security scrutiny in php (and elsewhere), I've found it best
to keep an encrypted key of sorts in the session, and then query the
database according to that key for the information needed per user.  This
ensures a tampered session is worthless and that personal information never
gets into the browser's messy pockets.

As far as calling session vars in a function, it's a matter of preference.
I've personally always found it best to pass all vars the function (or
define them in the class) explicitly, which allows you to trace the path of
the variable while reading the code.  But, according to the code I've read
over the years, most coders don't necessarily agree.

Good Luck!

Mark

(PS, that gmail response email was meant to be off list, apologies for the
extra OT).




More information about the talk mailing list