stackoom
  简体   繁体   中英

good/bad idea to use email address in php session variable?

 原文  2011-01-13 13:57:13       php/ email

Question

I'm developing some additional functionality for a client's website that uses the email address as a key lookup variable between various databases (email marketing system, internal prospect database, and a third shared DB that helps bridge the gap between the two).

I'm concerned that storing a visitor's email address as a $_SESSION variable could lead to security issues (not so much for our site, but for the visitor).

Anybody have suggestions or experience on whether this is okay to do, or if there's another alternative out there?

3 answers

solution1
 3  2011-01-13 14:17:07

There isn't anything inherently dangerous to storing values in $_SESSION. It all depends on whether you provide code that would inadvertently output it to the browser.

solution2
 3 ACCPTED  2011-01-13 14:39:21

It is important to understand the difference between how $_SESSION variables are stored and how cookies are used to retrieve it. All data in the session is stored on the server (in /tmp by default, I believe), and persisted between requests. No session data is stored directly in a cookie by default.

However, PHP will store a cookie with a unique id that identifies your user with a particular session (hence how the same information can be retrieved over different requests).

If the cookie with the session id is compromised, another user can impersonate someone with that session. This includes authenticated sessions, where a user has already logged in. If this happens, chances are you'll likely have bigger problems than exposing an email address.

It wouldn't be a bad idea to use some kind of user id in your session, as opposed to the email address. However there are a number of other, probably more useful, ways to add security to your session.

See this question: PHP Session Security

solution3
 0  2011-01-13 14:12:59

You could use part of the email address in the variable. So for example, you could use the name joe from the e-mail joe@bloggs.com. Then use another parameter to perform the search.

Also, always use mysql_real_escape_string() when passing variables to the database, and add in some backslashes for good measure.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP - Multi dimensional SESSION array a good or bad idea for performance? Returning JavaScript through PHP - good or bad idea? Good Idea or Bad Idea? Using a Static Class Variable to Store a Global Is unsetting $_SESSION variable a bad idea before setting session var? Utilizing the MySQL “Comments” section to process variables in PHP, good or bad idea? Using PHP sleep to give priority to some requests - a good or bad idea? PHP class constant for each string exist in class, Is good or bad idea? Emulating named function parameters in PHP, good or bad idea? Why is not a good idea to use multithreading in php? Is it a bad idea to use a php css file?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM