Reputation: 3839
Is it safe to save PHP Database values directly in Session Array?
I want to know that while doing DB operations on mySQL in PHP then is it is really safe to save all DB values in Session array like as below
$query = "select * from `users` where `mails` = ? and passx= ? ";
$result = DB::instance()->prepare($query)>execute
(array($m,$s))->fetchAll();
foreach($result as $row){
$user[] = $row;
$_SESSION['user'] = $user;
}
I am afraid as all Database column names are available in Session Array. If there is any other approach please let me know.
Upvotes: 1
Views: 516
Answers (2)
Reputation: 1701
In short, if you don't run around var_dumping $_SESSION, or mismanaging the data assigned from $_SESSION, there's no real way for the contents of $_SESSION to be intercepted client-side. It is only stored on the server.
Even if a session is hijacked (which has its own set of issues and concerns), this doesn't mean that the contents of $_SESSION are fully exposed.
Upvotes: 0
Reputation: 2684
Yes, the $_SESSION array is private and will never be shown to a user unless php is configured to save session files in a publicly accessible location or there is a security flaw on the server. However, sessions can be stolen from users and others can log in with them by using some certain methods.
Read up on how to prevent session fixation here
Also related: Where is data stored in a session?
As an aside, you can use reset() instead of foreach() to return the first key in an array.
Upvotes: 1
Related Questions
- Getting Data values from database to save to session storage?
- Store session array in DB
- Can a PDO object be stored in session?
- Is it secure to Store value in var for PDO PHP?
- Is $_SESSION safe from sql injects?
- Save session data in a PHP array
- PHP: Best way to store a session using PDO
- Store Session Array in Database
- Save Dynamic Array To MySQL Database
- Is it safe to store a value in a session variable and make queries on the value?