Is using the $_SESSION array safe?

Asked May 13 '15 at 17:26

Active May 13 '15 at 17:26

Viewed 30 times

Example:

$query = $connection->query("SELECT `password` FROM `users` WHERE `userID` = ".$_SESSION['user'].";") or die("error in the query");
if (mysql_num_rows($query) < 1) {
    die("Error: no such user");
}
while ($row = $query->fetch_assoc()) {
    if ($row['password'] != $_SESSION['pass']) {
        die("Error: incorrect password");
    }
}

The above code is my only protection in a PHP script. Is there anything else that can make it more secure? I know that the $_SESSION array can not be changed on the client side. So in my opinion it should be enough. The session is controlled by WordPress.

asked May 13 '15 at 17:26

Tomasz Kasperczyk

1,991
3
22
43

1

this question's been asked quite a few times. I'm sure someone will find "one" of the duplicates soon. – Funk Forty Niner May 13 '15 at 17:28
@Fred-ii- In that case I'm sorry, I didn't do the research, my bad. – Tomasz Kasperczyk May 13 '15 at 17:29
No its not secure, consider using something like http://php.net/manual/en/ref.pdo-mysql.php with named parameters – May 13 '15 at 17:29
2

Google "is $_SESSION safe php" there's a whole bunch of links that will also lead you back here on Stack. – Funk Forty Niner May 13 '15 at 17:30
plus you're mixing MySQL APIs, your code won't run, not with `mysql_num_rows` anyway. Add an `i` to that ;-) – Funk Forty Niner May 13 '15 at 17:31
Alright, I'm closing the question. Sorry again for duplicate. – Tomasz Kasperczyk May 13 '15 at 17:31
Check the password in the query. – chris85 May 13 '15 at 17:33
and `".$_SESSION['user']."` that will fail if that's a string. Just to outline the syntax errors in your code. – Funk Forty Niner May 13 '15 at 17:34
Why bother whether values in `$_SESSION` are “safe” when you have prepared statements where you don’t have to worry about SQL injections? – Gumbo May 13 '15 at 21:22

Is using the $_SESSION array safe?

0 Answers0