是否可以在会话中建立数据库连接？ [英] Is it okay to make a connection to the database in a session?

问题描述

你好，


我正在建立一个问题数据库（MySQL）的接口。是否可以在会话中使用mysql_connect（）连接数据库一次，然后在以下页面中使用连接，直到用户注销？如果是，是否可以这样做..我只是读到会话文件存储在计算机上的某个目录中。我想知道连接这种方式是否可行且明智，因为连接需要给出密码。


谢谢:)

Hanaa。

解决方案

这可能会失败，因为任何mysql_connect（）连接在脚本结束时关闭。你可以使用mysql_pconnect（），但每次处理下一页（build / loaded / ...）时连接到MySQL有什么问题？ （尽管这可能更安全）


问候

没有问题。？我的意思是，连接到每个页面上的数据库是否可以，我认为必须多次连接是某种开销。如果错了，请纠正我。我也读过有关持久性连接的信息，并且在服务器关闭/重新启动之前它们也没有关闭。请你给我几行说明为什么连接每次都没关系..？


您是否也告诉我在会话中存储用户名和密码是否合适且安全？不会以任何方式拦截会话文件吗？


谢谢，

Hanaa

Hanaa Heya。


打开一个连接不是一个很大的开销，并且使用持久连接也有负面影响（你不会总是得到相同的连接，所以你不能依赖临时表和页面加载之间的变量）。


您不需要以明文形式存储用户密码;在存储它之前通过sha1（）或md5（）运行它。


在会话中存储敏感信息（包括登录凭据）通常是一个坏主意，因为它可以拦截它们。

会话数据（通常）存储在服务器上/ tmp目录中的文件中，因此如果攻击者可以访问这些文件，他就可以读取用户的会话数据。


如果您有一个不安全的图像加载器脚本，将会出现一个非常简单（如果不太可能）的漏洞利用示例：

展开 | 选择 | Wrap | Line Num的BER

Hello,

I am making an interface to a database(MySQL) of questions. Is it possible to connect to the database using mysql_connect() just once, in a session and use the connection thereafter in the following pages and until the user logs out? If it is, Is it okay to do so.. I just read that the session files are stored in some directory on the computer. I wanted to know if its okay and wise to connect this way, given connecting requires the password to be given.

Thank you :)
Hanaa.

解决方案

this will probably fail, since any mysql_connect() connection is closed at script end. you can use mysql_pconnect(), but what''s wrong with connecting to MySQL each time when the next page is processed (build/loaded/...)? (despite that this is probably more secure)

regards

Is there no problem.? I mean, is it okay to connect to the database on each page, I thought having to connect many times is some kind of an overhead. Please correct me if ''m wrong. I read about persistent connections too, and also that they are not closed until the server is shut down/restarted.. Would you please give me a few lines on as to why connecting each time is okay..?

Would you also tell me if storing username and password in a session is okay and safe? Cant session files be intercepted in any manner?

Thanks,
Hanaa

Heya, Hanaa.

Opening a connection is not a whole lot of overhead, and there are negatives to using persistent connections (you won''t always get the same connection, so you can''t rely on temporary tables and variables in between page loads).

You shouldn''t need to store the User''s password in cleartext; run it through sha1() or md5() before storing it instead.

Storing sensitive information (including login credentials) in a session is generally a bad idea because it is possible to intercept them.

Session data is stored (usually) in files in the /tmp directory on your server, so if the attacker can access those files, he can read your Users'' session data.

A really simple (if unlikely) example of an exploit would occur if you had an insecure image loader script:

Expand|Select|Wrap|Line Numbers

这篇关于是否可以在会话中建立数据库连接？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！