0

I have a php program, which has the login page and logout page. When user successfully logged in to the page it will be redirected to index.php

when index.php is loaded, it will fetch the data from the database (mySQL. ie. Select * from users) and populated some of the user data and display them in nice table format

Name         Phone             DOB          ...             Option
John Doe     xxx-xxx-xxxx      mm-dd-yy     ...             [Edit] [Details]...

etc

Not all fields from the query results will be displayed in the above table, only some of them will.

Under the Option column, there is an option called "Details", when clicked, user will be able to see some secure info.

I can think of two ways of doing it:

  1. when index.php is loaded, instead of calling Select * from users (which * will contains some security info) I'll just call "Select id fullname, phone, dob from users". (don't select something unless it's necessary). Then when "Details" is clicked, I'll pass the id and retrieve the secure info from db by using that id. (IMO this is the most secure way but I'll have to make extra query call)

  2. when index.php is loaded, I'll just do a Select * from users. Save the query results (arrays) into Session, then when "Details" is clicked, I'll just retrieve the array from the Session. This way I don't have to make extra query call, however I'm not sure if Session is secure or not.

Which way is better, in terms of security? (if none of them are, please advise how should I do this)

hakre
  • 193,403
  • 52
  • 435
  • 836
Josh
  • 692
  • 2
  • 9
  • 38
  • 1
    You write *"in terms of security"*. Please show the exact terms you refer to. In general terms you should never call `SELECT` with `*`. The rest - unless further infomration is provided - is subject to taste and opinion and heavily depends on what you do there as well so it can not be really answered. – hakre Aug 29 '13 at 16:21
  • $_SESSION data is kept on the server. The only way someone could see what's in the session is if YOUR code provides that access, or the user has access to the server. The only "session" data that gets sent to the user in normal operations is the ID of the session via a cookie. – Marc B Aug 29 '13 at 16:23
  • 2
    You should take a look at [Why is Select * considered Harmful](http://stackoverflow.com/questions/3639861/why-is-select-considered-harmful) – IROEGBU Aug 29 '13 at 16:28
  • @iroegbu so are you saying that in index.php I should select the fields that i need to be displayed, then on "details" page I should use the id to do a query again? – Josh Aug 29 '13 at 16:34
  • @Josh: and if the details page actually contains very secure information, require the password again to view it. – hakre Aug 29 '13 at 16:41
  • @iroegbu you mean the login password to view the secure info? so are you suggest that I should run two queries, one to get the basic info in index.php and on details once the login password is verified I should run another query to retrieve the secure info? please advise – Josh Aug 29 '13 at 16:47

1 Answers1

4

Storing data in the session is safe. Storing data in cookies is not safe.

Sessions are stored on the server, cookies are stored by the client (hence they are unsafe).

As far as performance goes .. it depends. There is no single answer, do what works for you but by all means keep it simple.

Halcyon
  • 57,230
  • 10
  • 89
  • 128