开发者

Storing sensitive information in a class protected variable considered safe?

开发者 https://www.devze.com 2023-04-08 23:31 出处:网络
Please note:I have limited this script to show basic structure.It is not functional. class AuthController

Please note: I have limited this script to show basic structure. It is not functional.

class AuthController
{
   protected $dump = NULL;

   private function recall()
   {
      $dump = $this->query('SELECT * FROM table WHERE access="id" ORDER BY id ASC LIMIT 1');
      $this->dump = mysql_fetch_array($dump);
   }
}

$user = new AuthController($id);

Keep in mind the dump would contain an array of.

1.) id (auto assortment).

2.) unique name.

3.) salt - (random salt hashed with password).

4.) password (hashed).

Now, to my questions and purpose. I must dump the users data into a variable to prepare the password for a test to see if the password matches the hashed one stored with the user in the database.

An alternative to this would be to use two queries. The first which would retrive the salt associated w开发者_运维知识库ith the user in the db - (use salt to prepare password to match with hash). And the second query would pass the prepared password along with the users id or unique name to see if a match occurs. I think this is unnecessary use of a database resource; when this information can be stored for later use.

One must ask, is this a risk from a security stand point?


Everything you do on the server side without interaction with the user can be considered safe. It would not do to start worrying about the information the server has in memory because we would go crazy. If someone knows what's in your servers memory, he's gained full access to your system anyways (or his name is John Skeet).

Make sure:

  • Your error reporting is well configured, meaning no displaying of errors on any live or staging environment
  • Your interaction with the user is always safe (validation, escaping, quoting, etc.)
  • You don't store plain text information about the user in cookies
0

精彩评论

暂无评论...
验证码 换一张
取 消