By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,384 Members | 1,993 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,384 IT Pros & Developers. It's quick & easy.

Security php + mysql

P: n/a
I want to improve security of a multiplayer online game written in php
and mysql. Because I'm new to this stuff I would appreciate some tips.
If you have time look here http://web.rulex.net/archi/Medieval_Lords/
and check what are the main problems (please don't hack it more than
needed because there is a test game taking place there, just to say what
is wrong without crashing it).

I think it will need:

1) create a system of email authorisation for new users who want to
register (I know how to do it, so ignore this - unless there are some
really strange things I should be aware of).

2) mysql user input checking. User can affect database directly by
registration (username, password) and messages to other users (subject
and text). This can mess the database if they put for example "'" symbol
in their username. What are the other dangerous characters? How should I
protect/limit username and message text (I understand I should use
functions like strip_tags() or similiar, but there are plenty of such
functions and I don't know which to choose).

3) any other security issues?
Aug 16 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
On 2005-08-16, Archibald <us*****@poczta.onet.pl> wrote:
2) mysql user input checking. User can affect database directly by
registration (username, password) and messages to other users (subject
and text). This can mess the database if they put for example "'" symbol
in their username. What are the other dangerous characters? How should I
protect/limit username and message text (I understand I should use
functions like strip_tags() or similiar, but there are plenty of such
functions and I don't know which to choose).


I wouldn't name this a security issue but a mysql issue.
Read http://www.php.net/mysql_real_escape_string and you will know how
you can handle the "special" characters.
--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>
Aug 16 '05 #2

P: n/a
On Tue, 16 Aug 2005 22:05:29 +0200, Archibald <us*****@poczta.onet.pl> wrote:
2) mysql user input checking. User can affect database directly by
registration (username, password) and messages to other users (subject
and text). This can mess the database if they put for example "'" symbol
in their username. What are the other dangerous characters?
Properly escaped, no character is dangerous.
How should I
protect/limit username and message text (I understand I should use
functions like strip_tags() or similiar, but there are plenty of such
functions and I don't know which to choose).


mysql_escape_string() is the manual way of doing it, but save yourself the
risk of forgetting to escape characters by using a database library. My
recommendation is ADOdb as it has a decent interface, and is a thin enough
layer not to affect performance noticeably.

http://adodb.sourceforge.net/

ADOdb emulates placeholders for databases that don't have them natively (e.g.
MySQL), so data and SQL are properly separated and any escaping is done behind
the scenes if required. So you'd do something like:

$db->Execute(
'insert into wibble (x, y) values (:1, :2)',
array($x, $y)
);

You do not escape or modify $x or $y in any way - the library does whatever is
required to get those values into the database safely.

--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
Aug 17 '05 #3

P: n/a
In article <dd**********@ikaria.belnet.be>, ti***@users.sourceforge.net
says...
I wouldn't name this a security issue but a mysql issue.
Read http://www.php.net/mysql_real_escape_string and you will know how
you can handle the "special" characters.


Thanks.

I have a problem with messages, because now all ' symbols are displayed
as /'. I also need to allow newlines in a message (automatic <BR> after
enter in the form) and disallow other tags like <a href>. What set of
functions is best for this task?

A new address if you want to check security
http://www.lords.gamessite.net/ I have put mysql_escape_string()
everywhere where user can modify database, anything else I should do?

--
Archibald
Aug 22 '05 #4

P: n/a
On 2005-08-22, Archibald <us*****@poczta.onet.pl> wrote:
In article <dd**********@ikaria.belnet.be>, ti***@users.sourceforge.net
says...
I wouldn't name this a security issue but a mysql issue.
Read http://www.php.net/mysql_real_escape_string and you will know how
you can handle the "special" characters.
Thanks.

I have a problem with messages, because now all ' symbols are displayed
as /'. I also need to allow newlines in a message (automatic <BR> after
enter in the form) and disallow other tags like <a href>. What set of
functions is best for this task?


http://www.php.net/nl2br
http://www.php.net/strip_tags
A new address if you want to check security
http://www.lords.gamessite.net/ I have put mysql_escape_string()
everywhere where user can modify database, anything else I should do?


the advise was to youse mysql_real_escape_string. as the one that you
are using is deprecated.

--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>
Aug 22 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.