What are the potential risks of storing sensitive data like passwords in session variables?
Storing sensitive data like passwords in session variables can pose a security risk because session data is stored on the server and can potentially be accessed by other users or through session hijacking. To mitigate this risk, sensitive data should be stored securely, such as in a database with encryption.
// Example of securely storing sensitive data like passwords in a database with encryption
// Connect to database
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// Encrypt password before storing in database
$encrypted_password = password_hash($password, PASSWORD_DEFAULT);
// Store encrypted password in database
$sql = "INSERT INTO users (username, password) VALUES ('$username', '$encrypted_password')";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
// Close connection
$conn->close();