PHP create XML file - security issues

mfacer

I am thinking about how to improve one of my websites - the user has to wait a long time for data to load from the database..... I was thinking - what are the implications of having the data stored in an XML file...

updating is not an issue - as they only update the database once in a while... its mainly for reporting.

How could I protect the files from others viewing other people's files? ie: if you looked at the source code and saw the JS opening a file with "username.xml" they could just type random usernames and get other people's files and therefor data!!

maybe I could randomly name the files? Then store the random number in the db next to the username? the chances of a user guessing someone elses number is fairly small, right?!

Any advice will be much appreciated!

FatalError

mfacer wrote:
maybe I could randomly name the files? Then store the random number in the db next to the username? the chances of a user guessing someone elses number is fairly small, right?!

Any advice will be much appreciated!

That would still be insecure. It depends on what you want to do, but the best way to do this would probably be to have a php file return XML data. In other words, embed the XML into the php file just as you would HTML. Then just make a function that dies if the file is not included or something.

mfacer

would that not just take me back to suqare one? If I embed the file, it would be generated on the fly - I might as well just get the results from the DB and output those?

I am basically looking to use more XML data and hopefully build an API - but still no real idea what the best way about it is!!

niroshan

When do you generate the XML file? Are you generating XML file when the user signup? If so why do you need to keep an individual XML files for every user.

If you are trying to store their username and passwords and validate them when they login, i think the bast way is to keep a single XML file which will hold the user names and passwords and using PHP XML parsers you can search that xml file and check the entered username and the password against the existing username and passwords.

Then you dont have to show the xml file name to the users so there is no way of users get to know your XML file name. 🙂

Weedpacket

Of course, going the XML route is likely to result in something that runs slower than a proper DBMS (which would include the result of tens of thousands of work hours in R&D focused on the task of "looking up data quickly") - assuming it's properly configured and used.