Database security - PHP code

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Dariusz
    #1

    Database security - PHP code

    I have been reading a little that you should secure your PHP code to
    prevent SQL injection into a database (MySQL in my instance), mainly by
    checking the type of data to be put into a database, and if text, to
    addslashes() the data.

    What I have not managed to find out, is does SQL injection threaten the
    input of data into a database, ie a guestbook, or the reading of a database
    where the user would not know if the data is being read from a database?

    Is there anything else to consider to make a database more secure?

    In particular, I have read here a few months back that it's a good idea to
    keep the username / password of the connection outside the root of the
    website. How would I access the password file then? What I mean is, if I
    want a certain file in my site I could access it by writing:

    https://www.mysite.com/password.php


    But as it would now be outsite the root, how would I be able to get to the
    password.php file?

    I have also read a bit that you can assign privelages (similar I guess to
    rwe for a directory / file) but to the database access, but can't find
    anything about it. Is there a good (beginners) guide to privelages?

    Any just incase, I did RTFM, but there are many versions which make it
    confusing on who is right.

    Thanks

    Dariusz
    Tags: None
    • Michael Vilain
      #2
      Re: Database security - PHP code

      In article <416e9326$0$480 25$ed2e19e4@ptn-nntp-reader04.plus.n et>,
      ng@lycaus.plusY OURSHIT.com (Dariusz) wrote:
      [color=blue]
      > I have been reading a little that you should secure your PHP code to
      > prevent SQL injection into a database (MySQL in my instance), mainly by
      > checking the type of data to be put into a database, and if text, to
      > addslashes() the data.
      >
      > What I have not managed to find out, is does SQL injection threaten the
      > input of data into a database, ie a guestbook, or the reading of a database
      > where the user would not know if the data is being read from a database?
      >
      > Is there anything else to consider to make a database more secure?
      >
      > In particular, I have read here a few months back that it's a good idea to
      > keep the username / password of the connection outside the root of the
      > website. How would I access the password file then? What I mean is, if I
      > want a certain file in my site I could access it by writing:
      >
      > www.mysite.com/password.php
      >
      > But as it would now be outsite the root, how would I be able to get to the
      > password.php file?
      >
      > I have also read a bit that you can assign privelages (similar I guess to
      > rwe for a directory / file) but to the database access, but can't find
      > anything about it. Is there a good (beginners) guide to privelages?
      >
      > Any just incase, I did RTFM, but there are many versions which make it
      > confusing on who is right.
      >
      > Thanks
      >
      > Dariusz[/color]

      You've done your homework, don't worry. There was a discussion
      _somewhere_ (here or another group) about securing php in a shared
      server (like a webhosting ISP) and this URL was posted:

      Shared Hosting, by Chris Shiflett
      http://shiflett.org/articles/security-corner-mar2004
      Chris Shiflett is an entrepreneur, product designer, and web developer.


      It had some great ideas, notably a method of removing the database
      passwords from a file that can be read by the Apache web server. php
      code must be readable by Apache (and the developer), so that means
      protecting the files via group permissions or running php with suExec as
      a process with CGIwrap (http://cgiwrap.sourceforge.net/), which is what
      I do for Perl CGI scripts.

      There was also a link in Chris' article on permissions.

      Read and enjoy.

      --
      DeeDee, don't press that button! DeeDee! NO! Dee...



        Comment

        • Justin Koivisto
          #3
          Re: Database security - PHP code

          "Michael Vilain <vilain@spamcop .net>" wrote:[color=blue]
          > http://shiflett.org/articles/security-corner-mar2004
          >
          > It had some great ideas, notably a method of removing the database
          > passwords from a file that can be read by the Apache web server. php
          > code must be readable by Apache (and the developer), so that means
          > protecting the files via group permissions or running php with suExec as
          > a process with CGIwrap (http://cgiwrap.sourceforge.net/), which is what
          > I do for Perl CGI scripts.[/color]

          Similar to what I have been saying for years - around 2001, before the
          PHP Cookbook was published. I wonder if my comments inspired the
          solution provided in the PHPCB - if so, I wonder if I got my name in a
          book? :-D

          --
          Justin Koivisto - spam@koivi.com
          Temporarily Disabled | Koivi.com
          http://www.koivi.com

            Comment

            • Michael Fesser
              #4
              Re: Database security - PHP code

              .oO(Dariusz)
              [color=blue]
              >I have been reading a little that you should secure your PHP code to
              >prevent SQL injection into a database (MySQL in my instance), mainly by
              >checking the type of data to be put into a database, and if text, to
              >addslashes() the data.
              >
              >What I have not managed to find out, is does SQL injection threaten the
              >input of data into a database[/color]

              Yep.
              [color=blue]
              >, ie a guestbook, or the reading of a database
              >where the user would not know if the data is being read from a database?[/color]

              Not directly, but the problem is more complex.

              An example: It could be possible for an attacker to insert SQL-code into
              the database. The application escapes all quotes, so it does no harm on
              input. But even if the code made it "defused" into the database doesn't
              mean the problem is solved. The injected code could still start its
              malicious work when the application fetches the data from the db and
              uses it again in another query. Usually no one escapes data obtained
              from the db, because it's considered "safe" ...
              [color=blue]
              >Is there anything else to consider to make a database more secure?[/color]

              Even if the data is already in the system, it should _not_ be used
              directly in other querys without validating/escaping it again.

              And some SQL servers are vulnerable to a lot more and different variants
              of SQL injection (Google for "advanced SQL injection").
              [color=blue]
              >In particular, I have read here a few months back that it's a good idea to
              >keep the username / password of the connection outside the root of the
              >website. How would I access the password file then? What I mean is, if I
              >want a certain file in my site I could access it by writing:
              >
              >www.mysite.com/password.php[/color]

              Why would you want a password be accessible with HTTP?
              [color=blue]
              >But as it would now be outsite the root, how would I be able to get to the
              >password.php file?[/color]

              PHP is able to access files directly through the filesystem.

              Micha

                Comment

                Previous template Next
                Working...