This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
What security issues should I look out for in PHP
what are the SECURITY THREATS while using PHP connected with MySQL
what STEPS should be followed\insured to maximize security
You should at least properly quote your data to avoid injection. Google PHP and Mysql Injection for more information on this. Also see: http://nl.php.net/manual/en/function.mysql-real-escape-string.php
especially note example2 which explaines injection.
As said before, SQL injection is the most common attack. But also have to be sure you don't use a superuser or any other database role that has too much permissions, to connect with your database. Make sure you create a role that has the bare minimum permissions to function, and use this role in your PHP script.
You could also use stored procedures and/or views to revoke direct access to tables and data.
And whatever you do, make sure you use strong passwords and only store hashes of these passwords.
Do not trust input, all input is evil.
Number one issue is usually user input, especially when using a database. Make sure the user can never input anything that can harm your site - whether it's executable PHP (say you're using eval for some reason), or SQL injection.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
a little new to MySQL but, if I create a Page using HTML, CSS & JS do i need to use prepeard statements to prevent SQL Injections?
Or only if i use text iput?
Maybe me using text-input doesn't matter as user can edit files during use with browser-inspection tools to add one anyway.
If I use PHP instead of HTML for includes is it more easy to inject Code?
Lets say I set up a site using Siteground, where do i find the files I need to edit to prevent this, PHP or MySQL?
Or do I only need to worry about this if I write some custom PHP/MySQL code which handles incoming data to the database?
Or am I asking the wrong question?
Thanks!
-A
SQL injection is an attack type which consists of a user writing malicious code as user input and then posting it to the server. If the db server executes such a code, then bad things will happen.
To prevent executing malicious SQL provided in user input is equivalent of escaping dynamic parameters of queries. This can be done either by PDO or mysqli_real_escape_string.
So, to make sure you have no possibility for SQL injection, just check all the places where direct MySQL commands are executed and make sure the parameters are escaped.
I'm a junior PHP developer currently working on a project with a small team. It's the first time I've worked in a team on a project so I'm learning lots and building team working skills.
There is one specific thing I noticed that my fellow developers do and I believe could be a large security risk. When creating forms they will give the input name the column name in the database. This means that wherever the data is posted they can use a nifty for each loop going through the POST array. Sure, it's pretty and easy, but do I want users to see the names of columns?
I'm not sure if it does pose a security risk (first thing I think of is SQL injection) but if it does what can be done?
I suppose you could possibly hash the names of the inputs? Still, that's not totally 100% secure. What if in the form page the names are things like 'apple64', 'banana99', 'chickens' and then in the PHP file they're converted to their corresponding column names?
The point of my question is to find general practice for this (possible) security vulnerability.
Such a general practice is called "whitelisting".
You are positively right about this vulnerability. And for a junior developer you have a very good eye. As a matter of fact, most people who call themselves "professionals" never bother themselves with such questions.
So, to prevent an ordinary SQL injection and also to prevent random access to table fields (a user may be disallowed to some of them), you have to verify your post data against a pre-written whitelist.
Here you can see my approach for either classic mysql or PDO as an example.
When you develop, you have to give to user the minimal informations.
Headers / DB name / Column name etc..
The risk of the sql injection exist if your form treatments are not secure.
To control your sql requests, you have to prepare them and check if the variable have special chars.
Documentation about pdo
http://php.net/manual/en/pdo.prepare.php
A nice "how to" about the sql injection:
http://www.unixwiz.net/techtips/sql-injection.html
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Best way to stop SQL Injection in PHP
I'm currently designing and building my own content management system and my main worry is someone using an sql injection on my forms. I have a decent amount of security to get into my CMS but on the front end of the site I'll have a subscriber form and contact for which will link to my mySql database.
What tend to be the conventional PHP methods for preventing sql injection on forms?
any help would be great, thanks.
There's a function mysql_real_escape_string() which is generally seen as a basic requirement for preventing this kind of attack.
Don't forget to also set a character encoding. I'd suggest UTF-8. And make sure your HTML uses the same encoding as your database/tables.
Probably one of the best solutions is to filter all incoming data with function mysql_real_escape_string
To protected yourself against SQL Injection you need to sanitize input and use parameter queries.
I'm not sure about PHP, but I think you have something like prepared statements. You should search and read a little about it.
Also, that is not the only problem you should care about, please (!!!) take a look at https://www.owasp.org/index.php/Main_Page
mysql_real_escape_string is used for SQL statements. Is it enough for database security alone? For example with get_magic_quotes_gpc() we have use stripslashes. Is there any issue that we have to know about using other function with mysql_real_escape_string ?
Thanks in advance
If you want to have a more secure database, simply escaping a string is not enough. This will definitely help in regards to SQL injection attacks, but there are a host of other methods to compromise a database.
Some pointers:
Practice "least privilege" in that the users and accounts that are GRANTed access to your database should have the minimum privileges to complete their tasks and nothing else.
Make sure your passwords are difficult to guess (composed of letters both lower and upper, numbers, symbols, etc.) and changed regularly.
Don't save credit card numbers unless absolutely necessary (assuming you're running a commercial site).
Hash and possibly salt your passwords before storing them in your database if you'll have user accounts
Check and double-check port numbers (3306 for MySQL) and permissions on files and directories, especially if users are uploading files
These are generally good practice and you should be aware of issues for databases outside the scope of just SQL injection attacks.
not really. SQL statements are different. for some of them it helps, for others - not.
I've answered that question recently: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?
Hope it can give you the full picture, but you are welcome to ask if something is unclear.
Note that get_magic_quotes_gpc() and stripslashes are NOT database issue. It's just input data validation thing, and it has nothing to do with SQL
1)turn off magic_quotes_gpc
2)Is it enough with mysql_real_escape_string()
I have built a cms from scratch in PHP and I need a little help with getting it more secure. Basically I have arranged all my important files as followed:
/var/www/TESTUSERNAME/includes/val.php
Is this a secure way to stop people from getting hold of my values ?
Would it be a better to store these values in a database then run the query in this file ?
could you also give me some tips on how to better secure my application ?
First of all, you configure the php installation in such way that it becomes less vulnerable, you can also use the htaccess file to secure your directories.
What about other security issues?
XSS
CSFR
SQL Injection
Session hijacking
Session Fixation
etc
etc
See this for it.
Check POST data for SQL injection, XSS:Filter script (and HTML) inserted to your page.
These 2 are the most important.
And of course update your installation. also you shouldn't rely on Session. If somebody stole a cookie of logged user he change into this user.
If you put the values in the database then you have to worry about SQL Injection. If you aren't using parametrized quires, then you might have a serious problem with SQL Injection and moving the values to the database could be a bad idea due to this increased attack surface. In MySQL SQL injection can be used to read files like val.php, make sure your web application doesn't have "FILE" privileges. You also have to make sure your privileges are setup properly on this file. chmod 750 is a good one of this file, the last number 0 denies all access to everyone that isn't you or in your group.
by keeping the values in val.php you still have to worry about directory traversal vulnerabilities like this:
print file_get_contents("/var/www/whatever/".$_GET['FILE_NAME']);
Go though your code and pay attention to where you are reading and writing to files. Make sure you aren't passing in user control variables. If you want to get an attackers preservative on PHP and learning other ways of how files can be read i recommend reading A Study In Scarlet.