[web] php and users
Author
Well Im making a user loogin system. Obviouslz I have to save user data somewhere.
I see two options here:
1: I store user data in a database(mysql)
2: I have a folder per user and store it in a file.
I prefer version 2 for the login system. Any reason not to go with number 2?
-CProgrammer
If you have access to a database, I'd recommend that you went that route. If you had user-specific files (avatars, etc) you would probably want to store that under their own directory, but for a login system a database is the way to go.
Author
I agree the database may be the normal way to go. But I think 2 isquite easy to overlook and I have most of the code for this from another project.
My main concern is efficieny and SECURITY. Is 1 more secure than 2. Does 2 have problems when the number of users grows.?
/CProgrammer
My main concern is efficieny and SECURITY. Is 1 more secure than 2. Does 2 have problems when the number of users grows.?
/CProgrammer
How exactly do you propose to do #2?
Will it be a directory for the username with perhaps a file containing the password, another containing profile data, etc? Such a system would be difficult to alter (mass rename of all the files) - it may also be difficult to perform administration queries on the users. For example, how would you query all users that have xyz property? It can be done, but it means iterating files and directories to get your information - very slow in comparison to a SQL query.
I agree that files are useful for some things. An example is evoWeb, I'm storing a lot of my content as flat text files that's read in at page view time. It allows me to keep generations of the text with little problems and allows me to make backups easily. However, I'm moving it into a SQL version soon because of potential problems that exist in a multi-user environment. For example, imagine that 3 people are trying to read a file whilst it's being edited - you may try and commit your edit part-way through a read, and vice versa. Even worse, what happens when two administrators are trying to edit the file? You need a database mechanism in place to ensure that the status is maintained correctly. I could have a database layer on top of the flat file content layer to manage it, but in your situation this solution for user profiling has little benefit.
Why not try out both versions in a sandbox environment to perhaps get a better understanding of which method would work for you better?
Will it be a directory for the username with perhaps a file containing the password, another containing profile data, etc? Such a system would be difficult to alter (mass rename of all the files) - it may also be difficult to perform administration queries on the users. For example, how would you query all users that have xyz property? It can be done, but it means iterating files and directories to get your information - very slow in comparison to a SQL query.
I agree that files are useful for some things. An example is evoWeb, I'm storing a lot of my content as flat text files that's read in at page view time. It allows me to keep generations of the text with little problems and allows me to make backups easily. However, I'm moving it into a SQL version soon because of potential problems that exist in a multi-user environment. For example, imagine that 3 people are trying to read a file whilst it's being edited - you may try and commit your edit part-way through a read, and vice versa. Even worse, what happens when two administrators are trying to edit the file? You need a database mechanism in place to ensure that the status is maintained correctly. I could have a database layer on top of the flat file content layer to manage it, but in your situation this solution for user profiling has little benefit.
Why not try out both versions in a sandbox environment to perhaps get a better understanding of which method would work for you better?
Doing it in a MySQL database would be easier to not only use and create but also administer. Also doing it in files would require you to change the file permissions. You might want to check out my database class.
Using that class, you'd come up with something like:
Also remember that PHP.net is the best resource for anything PHP. I strongly recommend using phpMyAdmin.
Using that class, you'd come up with something like:
// Connect to the database$database = new Database("DBUSERNAME", "DBPASSWORD", "DB");// See if the username and password exist$database->Query(" SELECT * FROM tblUsers WHERE cUsername = '$username' AND cPassword = '$password'");if($database->NumRowsInResult() == 0){ // User Doesn't Exist} else { // Username and password are correct}Also remember that PHP.net is the best resource for anything PHP. I strongly recommend using phpMyAdmin.
Quote:Original post by CProgrammer
Well Im making a user loogin system. Obviouslz I have to save user data somewhere.
I see two options here:
1: I store user data in a database(mysql)
2: I have a folder per user and store it in a file.
I prefer version 2 for the login system. Any reason not to go with number 2?
-CProgrammer
Generally speaking, the database solution will be faster, easier to implement, more robust and much much more secure.
#2 can and will become a problem for several reasons:
- File systems tend to slow down when you have a lot of files/folders. I wouldn't like to see a folder with a subfolder for each of a few thousand users. Even with few users, databases would be noticeably faster.
- It will get really messy if people try to read from it while other try to write to it. Databases are practically made to handle these things. File systems aren't.
- File systems aren't particularly secure in general.
- #2 would be really messy to manage as well, especially as the number of users grows, and if you want to create some kind of statistics on your users, or search for a certain group of users.
There's really no reason to use #2 for this, unless of course you don't have access to a database. #2 is reinventing the wheel, and it won't be a particularly efficient wheel at that... ;)
Quote:Original post by Rob Loach
Doing it in a MySQL database would be easier to not only use and create but also administer. Also doing it in files would require you to change the file permissions. You might want to check out my database class.
Using that class, you'd come up with something like:
*** Source Snippet Removed ***
Also remember that PHP.net is the best resource for anything PHP. I strongly recommend using phpMyAdmin.
No, no and no. You would NEVER use that SQL query as it is. It's a perfect target for a SQL injection attack.
I would go the SQL route however. You can still have the good ol' home dir for the user, but for storing passwords and profile information, the DB is just plain cleaner, and more secure.
Author
Hmm, actually I wouold have used the exact same query.
How exactly is this not good concerning security? Im very curious.
-CProgrammer
How exactly is this not good concerning security? Im very curious.
-CProgrammer
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
