Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have a website where I need to fetch data from mysql and show them to user.
Every time user refreshes the page the mysql is going to connect, fetch som data, return it and the connection is closed (so user can be up-to-date).
There is a problem with it, because I tired to spam refreshes on my site and after 25.000 mysql connections in hour, my page is going to be down for an hour, because I have mysql_max_connection equal to 25.000 by my hosting provider.
I have only one account for MySQL there so I can't switch to any other account.
I was thinking about using the PDO::ATTR_PERSISTENT to make persistent connections, but there is no mysql_reset when the user comes back, so I think it's not a good idea to use it.
I wanted to ask if there is any way to prevent it within PDO or any other PHP/MySQL functions or how it's done by some commercial sites like facebook or so.
Thank you for your advise.
You can limit the usage per user per hour in MySQL:
LINK SECURITY MYSQL
However, most web apps use a single MySQL username for all application users. So this might just serve to throttle your whole website.
The addslashes function is not the right solution for preventing SQL injection. Every MySQL API includes a more appropriate escaping function, for example mysqli_real_escape_string() or PDO::quote().
But even better is to use prepared statements with query parameters instead of escaping and concatenating variables into SQL query strings.
Examples are easy to find if you examine other questions with the sql-injection tag. One of the best answers is in
How can I prevent SQL-injection in PHP?
Check and try these information. Good luck.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
Is it possible for someone to hack a MySQL database by knowing (only) the username and the password for my database.
There is no phpMyAdmin to login from it and there is no way to do any SQL injection in the website (because I'm using Laravel).
Your question is quite similar to "Is it possible to break into my house with my door key?"
It depends on few things:
Which IP is your MySQL listening to? In your MySQL Config File bind-address, find the value.
For that specific username, did you enabled remote access for that user in MySQL?
Any Firewall rules to restrict remote MySQL connections?
By the way, using Laravel or any other frameworks does NOT guarantee anything on protecting from SQL injection. People can easily write a SQL injection vulnerable web page under any framework if they want.
You should:
Implement your database related code properly and follow the instruction in the documentation.
Set your MySQL users and their privilege in the right way.
Do not expose your database to the public is recommended.
Last thing for your update, if you want to share your database with others. Not a big problem if you set the privilege correctly.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I have to pass parameters throught my pages. For exemple ids of my database.
Is it a good idea to do so: www.example.com?id=10
Or have I to hash the parameter:
www.example.com?id=b1d5781111d84f7b3fe45a0852e59758cd7a87e5
It is really important to hash this one?
Thanks
Best regards
There is no need to hash Id's in query string. Yes it is visible to everyone but it's a common use. you should verify in your server side that this parameter cannot harm your application
How are you able to trace back the id for that specific hash? You will create a bottleneck if you need to get all your database id's and hash those to find your matching record.
Using id's in urls are commonly used, just dont put any sensitive data in your urls to protect your visitors (and yourself).
Also note that every visitor is evil. Always validate incomming data and do some proper error handling incase someone is messing around with the urls.
Ids are ok but I think the spirit of this question may be the result of a very real concern.
As others have said, you should expect evildoers to be using your site. Of particular concern with poorly design web applications, are SQL injection attacks. The ids themselves aren't an issue but if your backend is building a string of SQL, you could have issue. For example if your PHP code is taking that parameter and creating this SQL:
SQL = 'select * from product where id ='.$_GET['id']
Executing this SQL would be a major issue if someone changed their browser to call this page:
/product.php?id=1;DELETE FROM USERS;--
...you could end up with an empty database table.
Every language has its own way of protecting from this kind of thing, so make sure you are doing it the right way. For example, see this SO question How can I prevent SQL injection in PHP?
See https://www.owasp.org/index.php/SQL_Injection for more info
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I understand that in general PDO scripts are cross compatible i.e. generally changing the connection string should work.
In the past I've spent hours searching online after changing a PDO script connection string from MySQL to SQLite as this isn't the case, some things don't work the same (I remember an issue with row counting or something).
So should changing from MySQL to Oracle be generally simple, or are there things to watch out for as in the SQLite case?
So should changing from MySQL to Oracle be generally simple, or are there things to watch out for as in the SQLite case?
There are things to watch out.
More seriously, beside basic SQL query, each RDBMS has its own set of specific features that have to be taken into account. Just to give one example, if you want to limit the result set to one row only, MySQL provides the LIMIT clause. But for Oracle up to 11g, you need a sub-query for that purpose.
If you really need cross-vendor support, you probably should take a look at some library providing database abstraction layer whose job is to allow you to write database-agnostic code. PDO isn't such a library. But Doctrine DAL, Zend_db and many other are.
It is now considered as off-topic to request suggestions for a tool here, but take a look at this old question if you need few pointers: Best PHP DAL (data abstraction layer) so far
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
I haven't found anything that matches my situation...
I am using XAMPP, which has MySQL as a backend and PHP in the front (web) end. in the Administration screen of MySQL (phpMyAdmin) I can create and run SQL requests. There is also an option of "Bookmark this SQL Query: "
Suppose i save a "Bookmark SQL Query". Is it possible for PHP to reference this Bookmark SQL Query? or do I have to create that query in PHP. It would be easier to reference the Bookmarked query, rather than make the full SQL query
Thanks.
Thanks to those who understood the question. You are smarter than those to didn't.
PHPMyAdmin is simply a PHP application that interfaces with your database. Anything you save on it stays on it.
Your PHP application is completely different from PHPMyAdmin and unless you create such a feature, you cannot use it within your application.
If you create a SQL execution interface within your application, you can also create something like that to be able to re-use the query.
Hope the explanation makes sense and the answer helps.
No, I don't think it's possible, the feature you're talking about is a feature in the client application only. You should write the query in PHP. That way you don't have to rely on an external feature/query for the application to work either.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
what is the worst that could happen to my database if my PHP code has a SQL injection vulnerability in the where statement, ie SELECT * FROM table WHERE id='$unescapedstring'?
sorry forgot to mention mysql
What if $unescapedstring is set to cake';DROP TABLE 'table';--? That'll execute the select, followed by the DROP TABLE statement. Replace the drop table with whatever sql you want, and you've got yourself the ability to execute any SQL. They can download your database, or wipe it, or modify records...just don't do it. Sanitize your inputs! Otherwise, your users have free reign on your database.
While the other answers are completely correct, if you have your mysql user accounts set up correctly, the account executing those queries probably shouldn't have permissions to alter/create/drop tables/databases. Therefore, worst that could happend in that scenario: DELETE FROM table
The worst that can happen? I'd say that anything can happen with that query.
For example, I submit this:
unescapedstring: '; (any other query)
Now, your query becomes:
SELECT * FROM table WHERE id=''; (any other query)
From there, I have the ability to execute any MySQL command. I can drop your whole database, I can edit it, I can download your database, and if your server permits, I can even go as far as rooting your actual server.
Basically, the attacker has full access to your MySQL installation. Expect anything.