Security php + mysql

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Archibald
    #1

    Security php + mysql

    I want to improve security of a multiplayer online game written in php
    and mysql. Because I'm new to this stuff I would appreciate some tips.
    If you have time look here http://web.rulex.net/archi/Medieval_Lords/
    and check what are the main problems (please don't hack it more than
    needed because there is a test game taking place there, just to say what
    is wrong without crashing it).

    I think it will need:

    1) create a system of email authorisation for new users who want to
    register (I know how to do it, so ignore this - unless there are some
    really strange things I should be aware of).

    2) mysql user input checking. User can affect database directly by
    registration (username, password) and messages to other users (subject
    and text). This can mess the database if they put for example "'" symbol
    in their username. What are the other dangerous characters? How should I
    protect/limit username and message text (I understand I should use
    functions like strip_tags() or similiar, but there are plenty of such
    functions and I don't know which to choose).

    3) any other security issues?
    Tags: None
    • Tim Van Wassenhove
      #2
      Re: Security php + mysql

      On 2005-08-16, Archibald <usenet0@poczta .onet.pl> wrote:[color=blue]
      > 2) mysql user input checking. User can affect database directly by
      > registration (username, password) and messages to other users (subject
      > and text). This can mess the database if they put for example "'" symbol
      > in their username. What are the other dangerous characters? How should I
      > protect/limit username and message text (I understand I should use
      > functions like strip_tags() or similiar, but there are plenty of such
      > functions and I don't know which to choose).[/color]

      I wouldn't name this a security issue but a mysql issue.
      Read http://www.php.net/mysql_real_escape_string and you will know how
      you can handle the "special" characters.


      --
      Met vriendelijke groeten,
      Tim Van Wassenhove <http://timvw.madoka.be >

        Comment

        • Andy Hassall
          #3
          Re: Security php + mysql

          On Tue, 16 Aug 2005 22:05:29 +0200, Archibald <usenet0@poczta .onet.pl> wrote:
          [color=blue]
          >2) mysql user input checking. User can affect database directly by
          >registration (username, password) and messages to other users (subject
          >and text). This can mess the database if they put for example "'" symbol
          >in their username. What are the other dangerous characters?[/color]

          Properly escaped, no character is dangerous.
          [color=blue]
          >How should I
          >protect/limit username and message text (I understand I should use
          >functions like strip_tags() or similiar, but there are plenty of such
          >functions and I don't know which to choose).[/color]

          mysql_escape_st ring() is the manual way of doing it, but save yourself the
          risk of forgetting to escape characters by using a database library. My
          recommendation is ADOdb as it has a decent interface, and is a thin enough
          layer not to affect performance noticeably.

          ADOdb
          http://adodb.sourceforge.net/
          Download ADOdb for free. PHP database abstraction layer. ADOdb is a PHP database class library to provide more powerful abstractions for performing queries and managing databases. ADOdb also hides the differences between the different databases so you can easily switch dbs without changing code.


          ADOdb emulates placeholders for databases that don't have them natively (e.g.
          MySQL), so data and SQL are properly separated and any escaping is done behind
          the scenes if required. So you'd do something like:

          $db->Execute(
          'insert into wibble (x, y) values (:1, :2)',
          array($x, $y)
          );

          You do not escape or modify $x or $y in any way - the library does whatever is
          required to get those values into the database safely.

          --
          Andy Hassall / <andy@andyh.co. uk> / <http://www.andyh.co.uk >
          <http://www.andyhsoftwa re.co.uk/space> Space: disk usage analysis tool

            Comment

            • Archibald
              #4
              Re: Security php + mysql

              In article <ddttv3$2q3$1@i karia.belnet.be >, timvw@users.sou rceforge.net
              says...[color=blue]
              > I wouldn't name this a security issue but a mysql issue.
              > Read http://www.php.net/mysql_real_escape_string and you will know how
              > you can handle the "special" characters.[/color]

              Thanks.

              I have a problem with messages, because now all ' symbols are displayed
              as /'. I also need to allow newlines in a message (automatic <BR> after
              enter in the form) and disallow other tags like <a href>. What set of
              functions is best for this task?

              A new address if you want to check security
              http://www.lords.gamessite.net/ I have put mysql_escape_st ring()
              everywhere where user can modify database, anything else I should do?

              --
              Archibald

                Comment

                • Tim Van Wassenhove
                  #5
                  Re: Security php + mysql

                  On 2005-08-22, Archibald <usenet0@poczta .onet.pl> wrote:[color=blue]
                  > In article <ddttv3$2q3$1@i karia.belnet.be >, timvw@users.sou rceforge.net
                  > says...[color=green]
                  >> I wouldn't name this a security issue but a mysql issue.
                  >> Read http://www.php.net/mysql_real_escape_string and you will know how
                  >> you can handle the "special" characters.[/color]
                  >
                  > Thanks.
                  >
                  > I have a problem with messages, because now all ' symbols are displayed
                  > as /'. I also need to allow newlines in a message (automatic <BR> after
                  > enter in the form) and disallow other tags like <a href>. What set of
                  > functions is best for this task?[/color]

                  PHP: nl2br - Manual
                  http://www.php.net/nl2br
                  Inserts HTML line breaks before all newlines in a string

                  PHP: strip_tags - Manual
                  http://www.php.net/strip_tags
                  Strip HTML and PHP tags from a string

                  [color=blue]
                  > A new address if you want to check security
                  > http://www.lords.gamessite.net/ I have put mysql_escape_st ring()
                  > everywhere where user can modify database, anything else I should do?[/color]

                  the advise was to youse mysql_real_esca pe_string. as the one that you
                  are using is deprecated.

                  --
                  Met vriendelijke groeten,
                  Tim Van Wassenhove <http://timvw.madoka.be >

                    Comment

                    Previous template Next
                    Working...