473,385 Members | 1,732 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > security php + mysql

Join Bytes to post your question to a community of 473,385 software developers and data experts.

Security php + mysql

I want to improve security of a multiplayer online game written in php
and mysql. Because I'm new to this stuff I would appreciate some tips.
If you have time look here http://web.rulex.net/archi/Medieval_Lords/
and check what are the main problems (please don't hack it more than
needed because there is a test game taking place there, just to say what
is wrong without crashing it).

I think it will need:

1) create a system of email authorisation for new users who want to
register (I know how to do it, so ignore this - unless there are some
really strange things I should be aware of).

2) mysql user input checking. User can affect database directly by
registration (username, password) and messages to other users (subject
and text). This can mess the database if they put for example "'" symbol
in their username. What are the other dangerous characters? How should I
protect/limit username and message text (I understand I should use
functions like strip_tags() or similiar, but there are plenty of such
functions and I don't know which to choose).

3) any other security issues?
Aug 16 '05 #1
4 1542
On 2005-08-16, Archibald <us*****@poczta.onet.pl> wrote:
2) mysql user input checking. User can affect database directly by
registration (username, password) and messages to other users (subject
and text). This can mess the database if they put for example "'" symbol
in their username. What are the other dangerous characters? How should I
protect/limit username and message text (I understand I should use
functions like strip_tags() or similiar, but there are plenty of such
functions and I don't know which to choose).


I wouldn't name this a security issue but a mysql issue.
Read http://www.php.net/mysql_real_escape_string and you will know how
you can handle the "special" characters.
--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>
Aug 16 '05 #2
On Tue, 16 Aug 2005 22:05:29 +0200, Archibald <us*****@poczta.onet.pl> wrote:
2) mysql user input checking. User can affect database directly by
registration (username, password) and messages to other users (subject
and text). This can mess the database if they put for example "'" symbol
in their username. What are the other dangerous characters?
Properly escaped, no character is dangerous.
How should I
protect/limit username and message text (I understand I should use
functions like strip_tags() or similiar, but there are plenty of such
functions and I don't know which to choose).


mysql_escape_string() is the manual way of doing it, but save yourself the
risk of forgetting to escape characters by using a database library. My
recommendation is ADOdb as it has a decent interface, and is a thin enough
layer not to affect performance noticeably.

http://adodb.sourceforge.net/

ADOdb emulates placeholders for databases that don't have them natively (e.g.
MySQL), so data and SQL are properly separated and any escaping is done behind
the scenes if required. So you'd do something like:

$db->Execute(
'insert into wibble (x, y) values (:1, :2)',
array($x, $y)
);

You do not escape or modify $x or $y in any way - the library does whatever is
required to get those values into the database safely.

--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
Aug 17 '05 #3
In article <dd**********@ikaria.belnet.be>, ti***@users.sourceforge.net
says...
I wouldn't name this a security issue but a mysql issue.
Read http://www.php.net/mysql_real_escape_string and you will know how
you can handle the "special" characters.


Thanks.

I have a problem with messages, because now all ' symbols are displayed
as /'. I also need to allow newlines in a message (automatic <BR> after
enter in the form) and disallow other tags like <a href>. What set of
functions is best for this task?

A new address if you want to check security
http://www.lords.gamessite.net/ I have put mysql_escape_string()
everywhere where user can modify database, anything else I should do?

--
Archibald
Aug 22 '05 #4
On 2005-08-22, Archibald <us*****@poczta.onet.pl> wrote:
In article <dd**********@ikaria.belnet.be>, ti***@users.sourceforge.net
says...
I wouldn't name this a security issue but a mysql issue.
Read http://www.php.net/mysql_real_escape_string and you will know how
you can handle the "special" characters.
Thanks.

I have a problem with messages, because now all ' symbols are displayed
as /'. I also need to allow newlines in a message (automatic <BR> after
enter in the form) and disallow other tags like <a href>. What set of
functions is best for this task?


http://www.php.net/nl2br
http://www.php.net/strip_tags
A new address if you want to check security
http://www.lords.gamessite.net/ I have put mysql_escape_string()
everywhere where user can modify database, anything else I should do?


the advise was to youse mysql_real_escape_string. as the one that you
are using is deprecated.

--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>
Aug 22 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
PHP and MySQL Security for a Newb
by: Xizor | last post by:
Ok, I'm new to PHP and MySQL. I've been going through tutorials, reading the documentation, and looking through web sites. PHP to me seems great! With MySQL it seems even better. However, I'm an...
PHP
1
security through obscurity
by: kaptain kernel | last post by:
I've got some security through obscurity questions - not directly related to PHP programming per se, but indirectly related, as most php programmers are also server admins of their servers. I want...
PHP
1
PHP and Mysql-Security Mailinglist ?
by: Boris Kroeplien | last post by:
Hi all. I am administrating an sgi/apache webserver. Whether we will upgrade our website to contain a mysql-database and a php-module depends on the amount of administrative work necessary for...
PHP
1
ASP/Security/data transfer/XML doubt
by: BijuThomas | last post by:
Complicated - ASP/Security/data transfer/XML doubt In our company Head office we are hosting an intranet server in IIS (Windows 2000) , ASP and Sqlserver back end. We are maintaining our branch...
ASP / Active Server Pages
2
MySQL security of Data
by: zzapper | last post by:
Hi, Although I'm gradually getting the hang of working with MySql, can do a pretty mean query!! I realise I know nowt about security. Is security basically done outside MySQL ie with https:// and...
MySQL Database
1
Under High IE Security buttons don't work
by: Gary D. Rezek | last post by:
Hi All, I've got a set of asp pages used to register students into the ResNet database. Testing things out under different browser security settings I ran into a problem. The following buttons.......
ASP / Active Server Pages
5
Security and statement advise
by: Brian | last post by:
Hi All I have 2 question, the first one I hope I don't start an argurment ! How secure is MySQL? I have been asked by a client to create a windows based application that will control /...
MySQL Database
4
Looking for general advice on security
by: tony | last post by:
I'm designing a survey form page that will be fairly complex and am becoming confident enough with PHP now to tackle most things. (Thanks to everyone here who has helped) Before I go too far...
PHP
5
ddtpmyra
Password and Page Security
by: ddtpmyra | last post by:
I need some help to review my code add more security on in. Scenario: Login Page enter username enter password Display Page if log-in success display all the records from mysql server
PHP
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!