473,779 Members | 1,913 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Database security - PHP code

I have been reading a little that you should secure your PHP code to
prevent SQL injection into a database (MySQL in my instance), mainly by
checking the type of data to be put into a database, and if text, to
addslashes() the data.

What I have not managed to find out, is does SQL injection threaten the
input of data into a database, ie a guestbook, or the reading of a database
where the user would not know if the data is being read from a database?

Is there anything else to consider to make a database more secure?

In particular, I have read here a few months back that it's a good idea to
keep the username / password of the connection outside the root of the
website. How would I access the password file then? What I mean is, if I
want a certain file in my site I could access it by writing:

www.mysite.com/password.php

But as it would now be outsite the root, how would I be able to get to the
password.php file?

I have also read a bit that you can assign privelages (similar I guess to
rwe for a directory / file) but to the database access, but can't find
anything about it. Is there a good (beginners) guide to privelages?

Any just incase, I did RTFM, but there are many versions which make it
confusing on who is right.

Thanks

Dariusz
Jul 17 '05 #1
3 2030
In article <41************ ***********@ptn-nntp-reader04.plus.n et>,
ng@lycaus.plusY OURSHIT.com (Dariusz) wrote:
I have been reading a little that you should secure your PHP code to
prevent SQL injection into a database (MySQL in my instance), mainly by
checking the type of data to be put into a database, and if text, to
addslashes() the data.

What I have not managed to find out, is does SQL injection threaten the
input of data into a database, ie a guestbook, or the reading of a database
where the user would not know if the data is being read from a database?

Is there anything else to consider to make a database more secure?

In particular, I have read here a few months back that it's a good idea to
keep the username / password of the connection outside the root of the
website. How would I access the password file then? What I mean is, if I
want a certain file in my site I could access it by writing:

www.mysite.com/password.php

But as it would now be outsite the root, how would I be able to get to the
password.php file?

I have also read a bit that you can assign privelages (similar I guess to
rwe for a directory / file) but to the database access, but can't find
anything about it. Is there a good (beginners) guide to privelages?

Any just incase, I did RTFM, but there are many versions which make it
confusing on who is right.

Thanks

Dariusz


You've done your homework, don't worry. There was a discussion
_somewhere_ (here or another group) about securing php in a shared
server (like a webhosting ISP) and this URL was posted:

http://shiflett.org/articles/security-corner-mar2004

It had some great ideas, notably a method of removing the database
passwords from a file that can be read by the Apache web server. php
code must be readable by Apache (and the developer), so that means
protecting the files via group permissions or running php with suExec as
a process with CGIwrap (http://cgiwrap.sourceforge.net/), which is what
I do for Perl CGI scripts.

There was also a link in Chris' article on permissions.

Read and enjoy.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Jul 17 '05 #2
"Michael Vilain <vi****@spamcop .net>" wrote:
http://shiflett.org/articles/security-corner-mar2004

It had some great ideas, notably a method of removing the database
passwords from a file that can be read by the Apache web server. php
code must be readable by Apache (and the developer), so that means
protecting the files via group permissions or running php with suExec as
a process with CGIwrap (http://cgiwrap.sourceforge.net/), which is what
I do for Perl CGI scripts.


Similar to what I have been saying for years - around 2001, before the
PHP Cookbook was published. I wonder if my comments inspired the
solution provided in the PHPCB - if so, I wonder if I got my name in a
book? :-D

--
Justin Koivisto - sp**@koivi.com
http://www.koivi.com
Jul 17 '05 #3
.oO(Dariusz)
I have been reading a little that you should secure your PHP code to
prevent SQL injection into a database (MySQL in my instance), mainly by
checking the type of data to be put into a database, and if text, to
addslashes() the data.

What I have not managed to find out, is does SQL injection threaten the
input of data into a database
Yep.
, ie a guestbook, or the reading of a database
where the user would not know if the data is being read from a database?
Not directly, but the problem is more complex.

An example: It could be possible for an attacker to insert SQL-code into
the database. The application escapes all quotes, so it does no harm on
input. But even if the code made it "defused" into the database doesn't
mean the problem is solved. The injected code could still start its
malicious work when the application fetches the data from the db and
uses it again in another query. Usually no one escapes data obtained
from the db, because it's considered "safe" ...
Is there anything else to consider to make a database more secure?
Even if the data is already in the system, it should _not_ be used
directly in other querys without validating/escaping it again.

And some SQL servers are vulnerable to a lot more and different variants
of SQL injection (Google for "advanced SQL injection").
In particular, I have read here a few months back that it's a good idea to
keep the username / password of the connection outside the root of the
website. How would I access the password file then? What I mean is, if I
want a certain file in my site I could access it by writing:

www.mysite.com/password.php
Why would you want a password be accessible with HTTP?
But as it would now be outsite the root, how would I be able to get to the
password.php file?


PHP is able to access files directly through the filesystem.

Micha
Jul 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
6
3136
Secure Database Systems
by: Sarah Tanembaum | last post by:
I was wondering if it is possible to create a secure database system using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc) combination? I have the following in mind: I wanted to store all my( and my brothers and sisters) important document information such as birth certificate, SSN, passport number, travel documents, insurance(car, home, etc) document, and other...
PHP
2
3939
ASP security model / file permissions to allow updating of a database
by: Fran Tirimo | last post by:
I am developing a small website using ASP scripts to format data retrieved from an Access database. It will run on a Windows 2003 server supporting FrontPage extensions 2002 hosted by the company 1&1 with only limited server configuration via a web based control panel. My query relates to the ASP security model and how it relates to FrontPage options for setting file access on a database file. If you know of any online documentation...
ASP / Active Server Pages
3
1698
Security on back-end Access 2002 database.
by: icb | last post by:
Hi I have a front-end/back-end setup. The front-end utilises all unbound forms populating the back-end via the code I have written. All fine so far. Prior to splitting the database I ran the security wizard and used a shortcut from the desktop. All fine except of course I can open the back-end directly. The security FAQ appears to be out of date insofar as there is no wrkgadm.exe with 2002 and therefore you simply run the security...
Microsoft Access / VBA
5
2974
Compacting access database problem
by: lappy | last post by:
Hello, I have written a small programme to compact an access 97 database. Dim je As New JRO.JetEngine ' Compacts database Data.Mdb to Data2.mdb. je.CompactDatabase "Provider=Microsoft.Jet.OLEDB.4.0;" & "Data Source=C:\Dump\DataOld.Mdb", _ "Provider=Microsoft.Jet.OLEDB.4.0;" & "Data Source=C:\Dump\Data.Mdb"
Microsoft Access / VBA
4
1729
Database Security
by: Ant | last post by:
I am trying to apply security to a database I have just finished. The application is split into a back end of tables and a front end of forms etc. I need some users to have access to forms based on some queries but not others. My question is do I run the security wizard in the back end DB or the front end? If I just do the front end I seem to have more control (Queries, individual forms etc) but what’s to stop some one just opening the...
Microsoft Access / VBA
9
2200
Problem connecting to Access Database from ASP.NET Application
by: Nathan Sokalski | last post by:
I am trying to connect to a Microsoft Access Database from my ASP.NET Application. I use the following code to create my connection string: cmdSelect.Connection = New System.Data.OleDb.OleDbConnection("PROVIDER=Microsoft.Jet.OLEDB.4.0;DATASOURCE=" & Server.MapPath("/WebApplication1/nathansokalski_com.mdb")) Although the error does not occur until the Fill() method is called:
ASP.NET
7
2209
can't get an answer to a crystal rpt question re database connection - Cor, Herfried, Armin, Ken Tucker?
by: Bernie Yaeger | last post by:
I can't believe that there aren't lots of developers who: 1. create a crystal report that connects to sql server 2. calls the report using the crystalreportviewer control to view it and then, if appropriate, print it 3. tries to deploy that report to the client's database, but now it calls for a different database name Yet I can't get an answer to the question: I have developed numerous reports in an app (Windows Database App) that...
Visual Basic .NET
2
6998
Generating combo box items from a SQL database
by: TS | last post by:
Hi all, From my windows form, I opened a connection to a SQL database. Now I need to generate a combo box from a SELECT statement pointing to the last name column in the SQL tables. I am stuck with the code I should use to generate this combo box. I used to use ADO to open a connection to SQL in VB6 then use Do until EOF - Loop to loop through the recodset and the cbo.additems to place the result of the recordset in the combo box. With...
Visual Basic .NET
3
4166
asp.net 2.0 membership ASPNETDB_TMP.MDF" is on a network path that is not supported for database files
by: jason | last post by:
I've been playing around with new (for 2.0) membershp functionality. I was able to build a simple login form that secures a directory on a project I built locally on my development desktop. However, when I attempt to follow the same steps on the remote test server (a website I access via filesystem security accross my lan ).. I get the following when I attempt to select the security tab from the administer selection of the login...
ASP.NET
3
5645
Permissions Error When Accessing Access Database
by: Nathan Sokalski | last post by:
When I attempt to access a Microsoft Access database from my website, I recieve the following error: Server Error in '/' Application. -------------------------------------------------------------------------------- Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the...
ASP.NET
0
10306
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
10138
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
10074
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
1
7485
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6724
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5373
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5503
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
4037
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
3632
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us