473,387 Members | 3,820 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > database security - php code

Join Bytes to post your question to a community of 473,387 software developers and data experts.

Database security - PHP code

I have been reading a little that you should secure your PHP code to
prevent SQL injection into a database (MySQL in my instance), mainly by
checking the type of data to be put into a database, and if text, to
addslashes() the data.

What I have not managed to find out, is does SQL injection threaten the
input of data into a database, ie a guestbook, or the reading of a database
where the user would not know if the data is being read from a database?

Is there anything else to consider to make a database more secure?

In particular, I have read here a few months back that it's a good idea to
keep the username / password of the connection outside the root of the
website. How would I access the password file then? What I mean is, if I
want a certain file in my site I could access it by writing:

www.mysite.com/password.php

But as it would now be outsite the root, how would I be able to get to the
password.php file?

I have also read a bit that you can assign privelages (similar I guess to
rwe for a directory / file) but to the database access, but can't find
anything about it. Is there a good (beginners) guide to privelages?

Any just incase, I did RTFM, but there are many versions which make it
confusing on who is right.

Thanks

Dariusz
Jul 17 '05 #1
3 1997
In article <41***********************@ptn-nntp-reader04.plus.net>,
ng@lycaus.plusYOURSHIT.com (Dariusz) wrote:
I have been reading a little that you should secure your PHP code to
prevent SQL injection into a database (MySQL in my instance), mainly by
checking the type of data to be put into a database, and if text, to
addslashes() the data.

What I have not managed to find out, is does SQL injection threaten the
input of data into a database, ie a guestbook, or the reading of a database
where the user would not know if the data is being read from a database?

Is there anything else to consider to make a database more secure?

In particular, I have read here a few months back that it's a good idea to
keep the username / password of the connection outside the root of the
website. How would I access the password file then? What I mean is, if I
want a certain file in my site I could access it by writing:

www.mysite.com/password.php

But as it would now be outsite the root, how would I be able to get to the
password.php file?

I have also read a bit that you can assign privelages (similar I guess to
rwe for a directory / file) but to the database access, but can't find
anything about it. Is there a good (beginners) guide to privelages?

Any just incase, I did RTFM, but there are many versions which make it
confusing on who is right.

Thanks

Dariusz


You've done your homework, don't worry. There was a discussion
_somewhere_ (here or another group) about securing php in a shared
server (like a webhosting ISP) and this URL was posted:

http://shiflett.org/articles/security-corner-mar2004

It had some great ideas, notably a method of removing the database
passwords from a file that can be read by the Apache web server. php
code must be readable by Apache (and the developer), so that means
protecting the files via group permissions or running php with suExec as
a process with CGIwrap (http://cgiwrap.sourceforge.net/), which is what
I do for Perl CGI scripts.

There was also a link in Chris' article on permissions.

Read and enjoy.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Jul 17 '05 #2
"Michael Vilain <vi****@spamcop.net>" wrote:
http://shiflett.org/articles/security-corner-mar2004

It had some great ideas, notably a method of removing the database
passwords from a file that can be read by the Apache web server. php
code must be readable by Apache (and the developer), so that means
protecting the files via group permissions or running php with suExec as
a process with CGIwrap (http://cgiwrap.sourceforge.net/), which is what
I do for Perl CGI scripts.


Similar to what I have been saying for years - around 2001, before the
PHP Cookbook was published. I wonder if my comments inspired the
solution provided in the PHPCB - if so, I wonder if I got my name in a
book? :-D

--
Justin Koivisto - sp**@koivi.com
http://www.koivi.com
Jul 17 '05 #3
.oO(Dariusz)
I have been reading a little that you should secure your PHP code to
prevent SQL injection into a database (MySQL in my instance), mainly by
checking the type of data to be put into a database, and if text, to
addslashes() the data.

What I have not managed to find out, is does SQL injection threaten the
input of data into a database
Yep.
, ie a guestbook, or the reading of a database
where the user would not know if the data is being read from a database?
Not directly, but the problem is more complex.

An example: It could be possible for an attacker to insert SQL-code into
the database. The application escapes all quotes, so it does no harm on
input. But even if the code made it "defused" into the database doesn't
mean the problem is solved. The injected code could still start its
malicious work when the application fetches the data from the db and
uses it again in another query. Usually no one escapes data obtained
from the db, because it's considered "safe" ...
Is there anything else to consider to make a database more secure?
Even if the data is already in the system, it should _not_ be used
directly in other querys without validating/escaping it again.

And some SQL servers are vulnerable to a lot more and different variants
of SQL injection (Google for "advanced SQL injection").
In particular, I have read here a few months back that it's a good idea to
keep the username / password of the connection outside the root of the
website. How would I access the password file then? What I mean is, if I
want a certain file in my site I could access it by writing:

www.mysite.com/password.php
Why would you want a password be accessible with HTTP?
But as it would now be outsite the root, how would I be able to get to the
password.php file?


PHP is able to access files directly through the filesystem.

Micha
Jul 17 '05 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
Secure Database Systems
by: Sarah Tanembaum | last post by:
I was wondering if it is possible to create a secure database system using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc)...
PHP
2
ASP security model / file permissions to allow updating of a database
by: Fran Tirimo | last post by:
I am developing a small website using ASP scripts to format data retrieved from an Access database. It will run on a Windows 2003 server supporting FrontPage extensions 2002 hosted by the company...
ASP / Active Server Pages
3
Security on back-end Access 2002 database.
by: icb | last post by:
Hi I have a front-end/back-end setup. The front-end utilises all unbound forms populating the back-end via the code I have written. All fine so far. Prior to splitting the database I ran the...
Microsoft Access / VBA
5
Compacting access database problem
by: lappy | last post by:
Hello, I have written a small programme to compact an access 97 database. Dim je As New JRO.JetEngine ' Compacts database Data.Mdb to Data2.mdb. je.CompactDatabase...
Microsoft Access / VBA
4
Database Security
by: Ant | last post by:
I am trying to apply security to a database I have just finished. The application is split into a back end of tables and a front end of forms etc. I need some users to have access to forms based on...
Microsoft Access / VBA
9
Problem connecting to Access Database from ASP.NET Application
by: Nathan Sokalski | last post by:
I am trying to connect to a Microsoft Access Database from my ASP.NET Application. I use the following code to create my connection string: cmdSelect.Connection = New...
ASP.NET
7
can't get an answer to a crystal rpt question re database connection - Cor, Herfried, Armin, Ken Tucker?
by: Bernie Yaeger | last post by:
I can't believe that there aren't lots of developers who: 1. create a crystal report that connects to sql server 2. calls the report using the crystalreportviewer control to view it and then,...
Visual Basic .NET
2
Generating combo box items from a SQL database
by: TS | last post by:
Hi all, From my windows form, I opened a connection to a SQL database. Now I need to generate a combo box from a SELECT statement pointing to the last name column in the SQL tables. I am stuck...
Visual Basic .NET
3
asp.net 2.0 membership ASPNETDB_TMP.MDF" is on a network path that is not supported for database files
by: jason | last post by:
I've been playing around with new (for 2.0) membershp functionality. I was able to build a simple login form that secures a directory on a project I built locally on my development desktop. ...
ASP.NET
3
Permissions Error When Accessing Access Database
by: Nathan Sokalski | last post by:
When I attempt to access a Microsoft Access database from my website, I recieve the following error: Server Error in '/' Application....
ASP.NET
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!