Hello. i am coding a script works with sessions.. my question is .. i am using this code when a user has log in successfully $_SESSION['user_auth'] = true; $_SESSION['user_id'] = $row_user->user_id; PHP: .. is there any security risk for using this? because i call it when using a query such as.. $query_select_posts = mysql_query("SELECT * FROM member_table Where user_id='".$_SESSION['user_id']."' "); PHP: what i am trying to mean .. is that i heard someone talking about encrypting sessions because it can be modified. Thanks!
you should use mysql_real_escape_string (or real_escape_string with mysqli) with any db query really. But i dont think the user can modify the contents of a session.
You will need to look Cookie and Session setting in your PHP-environment. Cookie: Cookies could be termed as plain-text (session at client side) send to browser, while sessions are server side tracking of user. Session: So, if you are using $_SESSION, then only way to hijack the session is to logged on to your server and access/temper the session file. Even the Cross site scripting attacks are made due to Cookies and sometime PHP-Session when they are appended in the link
As long as $_SESSION['user_id'] is not set by a post or a get, e.g. when they log in. When they log in make sure you do something like: $username = mysql_real_escape_string($_POST['username']); PHP:
If you are hosted in a shared environment, there is a way to hijack your script, if the host isn't secured properly (more common than you may think): PHP sessions by default are stored in the /tmp folder of the system, that must be kept writable for every user being hosted on that machine. So, your session files are writable also by the other users having a site on the same server, meaning they can read and modify your session data. In general, I prefer storing the sessions in the DB, that is more secure, but this would need some more code for your script. In any case, I'd say your script is reasonably secure, even if not bullet-proof. PS For future projects, I'd take a look to mysqli extension or PDO (the latter only for PHP5), both allowing prepared statements.. they are bullet-proof regarding SQL Injection attacks