By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,719 Members | 1,265 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,719 IT Pros & Developers. It's quick & easy.

Database security - PHP code

P: n/a
I have been reading a little that you should secure your PHP code to
prevent SQL injection into a database (MySQL in my instance), mainly by
checking the type of data to be put into a database, and if text, to
addslashes() the data.

What I have not managed to find out, is does SQL injection threaten the
input of data into a database, ie a guestbook, or the reading of a database
where the user would not know if the data is being read from a database?

Is there anything else to consider to make a database more secure?

In particular, I have read here a few months back that it's a good idea to
keep the username / password of the connection outside the root of the
website. How would I access the password file then? What I mean is, if I
want a certain file in my site I could access it by writing:

www.mysite.com/password.php

But as it would now be outsite the root, how would I be able to get to the
password.php file?

I have also read a bit that you can assign privelages (similar I guess to
rwe for a directory / file) but to the database access, but can't find
anything about it. Is there a good (beginners) guide to privelages?

Any just incase, I did RTFM, but there are many versions which make it
confusing on who is right.

Thanks

Dariusz
Jul 17 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
In article <41***********************@ptn-nntp-reader04.plus.net>,
ng@lycaus.plusYOURSHIT.com (Dariusz) wrote:
I have been reading a little that you should secure your PHP code to
prevent SQL injection into a database (MySQL in my instance), mainly by
checking the type of data to be put into a database, and if text, to
addslashes() the data.

What I have not managed to find out, is does SQL injection threaten the
input of data into a database, ie a guestbook, or the reading of a database
where the user would not know if the data is being read from a database?

Is there anything else to consider to make a database more secure?

In particular, I have read here a few months back that it's a good idea to
keep the username / password of the connection outside the root of the
website. How would I access the password file then? What I mean is, if I
want a certain file in my site I could access it by writing:

www.mysite.com/password.php

But as it would now be outsite the root, how would I be able to get to the
password.php file?

I have also read a bit that you can assign privelages (similar I guess to
rwe for a directory / file) but to the database access, but can't find
anything about it. Is there a good (beginners) guide to privelages?

Any just incase, I did RTFM, but there are many versions which make it
confusing on who is right.

Thanks

Dariusz


You've done your homework, don't worry. There was a discussion
_somewhere_ (here or another group) about securing php in a shared
server (like a webhosting ISP) and this URL was posted:

http://shiflett.org/articles/security-corner-mar2004

It had some great ideas, notably a method of removing the database
passwords from a file that can be read by the Apache web server. php
code must be readable by Apache (and the developer), so that means
protecting the files via group permissions or running php with suExec as
a process with CGIwrap (http://cgiwrap.sourceforge.net/), which is what
I do for Perl CGI scripts.

There was also a link in Chris' article on permissions.

Read and enjoy.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Jul 17 '05 #2

P: n/a
"Michael Vilain <vi****@spamcop.net>" wrote:
http://shiflett.org/articles/security-corner-mar2004

It had some great ideas, notably a method of removing the database
passwords from a file that can be read by the Apache web server. php
code must be readable by Apache (and the developer), so that means
protecting the files via group permissions or running php with suExec as
a process with CGIwrap (http://cgiwrap.sourceforge.net/), which is what
I do for Perl CGI scripts.


Similar to what I have been saying for years - around 2001, before the
PHP Cookbook was published. I wonder if my comments inspired the
solution provided in the PHPCB - if so, I wonder if I got my name in a
book? :-D

--
Justin Koivisto - sp**@koivi.com
http://www.koivi.com
Jul 17 '05 #3

P: n/a
.oO(Dariusz)
I have been reading a little that you should secure your PHP code to
prevent SQL injection into a database (MySQL in my instance), mainly by
checking the type of data to be put into a database, and if text, to
addslashes() the data.

What I have not managed to find out, is does SQL injection threaten the
input of data into a database
Yep.
, ie a guestbook, or the reading of a database
where the user would not know if the data is being read from a database?
Not directly, but the problem is more complex.

An example: It could be possible for an attacker to insert SQL-code into
the database. The application escapes all quotes, so it does no harm on
input. But even if the code made it "defused" into the database doesn't
mean the problem is solved. The injected code could still start its
malicious work when the application fetches the data from the db and
uses it again in another query. Usually no one escapes data obtained
from the db, because it's considered "safe" ...
Is there anything else to consider to make a database more secure?
Even if the data is already in the system, it should _not_ be used
directly in other querys without validating/escaping it again.

And some SQL servers are vulnerable to a lot more and different variants
of SQL injection (Google for "advanced SQL injection").
In particular, I have read here a few months back that it's a good idea to
keep the username / password of the connection outside the root of the
website. How would I access the password file then? What I mean is, if I
want a certain file in my site I could access it by writing:

www.mysite.com/password.php
Why would you want a password be accessible with HTTP?
But as it would now be outsite the root, how would I be able to get to the
password.php file?


PHP is able to access files directly through the filesystem.

Micha
Jul 17 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.