New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus • Advice and insight from world-class Apple enthusiasts • Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
Web Design and Hosting Creating sites, scripting, and hosting discussions.

mySQL security


Post Reply New Thread Subscribe

 
Thread Tools
muso

 
muso's Avatar
 
Member Since: Jan 15, 2003
Location: Whangarei, New Zealand
Posts: 2
muso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond repute
Mac Specs: Pwnt

muso is offline
I have a simple xhtml page with a form asking for the user's first name, last name, email address and phone number. The form submits its data to 'database.php' which is a simple php script that adds the given data to the table 'entries' in the database 'one'.

At the moment, it's nothing more than that. In the php page I open the connection to the mysql server through a separate script in a subdirectory which will eventually be protected with htaccess.

Security is of extreme importance in this situation. What measures can I take to prevent a malicious user entering a set of commands that will close the query and give them full access to my database (eg entering a single/double quote and a ')' to terminate the running command)?

I'm in your forums, writing sentences in a grammatically acceptable manner.
QUOTE Thanks
Murlyn

 
Murlyn's Avatar
 
Member Since: Jun 11, 2003
Location: Mount Vernon, WA
Posts: 4,909
Murlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to all
Mac Specs: MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2

Murlyn is offline
Verify all data. and what I would do is post to your original page and then send them to a different page saying thank you.

For you login data, make sure that file is kept outside of the web directories that way a person can not access it through the web.. only through ftp, ssh, etc but then they have to have the password.. if they get the password then it really does not matter what kind of security you do..

Try urlencoding and urldecoding.. try stripslashes, try addslashes..

I put all my data into single quotes.. even those that are just numbers..

I do remove the slashes and then add my own slashes to the data.. that should take care of all yoru problems
QUOTE Thanks
Murlyn

 
Murlyn's Avatar
 
Member Since: Jun 11, 2003
Location: Mount Vernon, WA
Posts: 4,909
Murlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to all
Mac Specs: MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2

Murlyn is offline
Oh hey Muso.. where in NZ are you? I was and am still thinking of moving there.. i absolutely love the people! the land! everything.. just trying to convince my fianceé is hard
QUOTE Thanks
muso

 
muso's Avatar
 
Member Since: Jan 15, 2003
Location: Whangarei, New Zealand
Posts: 2
muso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond repute
Mac Specs: Pwnt

muso is offline
You mean post to PHP_SELF() or whatever, and have the database script in the same file?

Do single quotes prevent mySQL commands being entered? I think the only way I could even get the form data into the database was to use something like:
insert into table values('$first_name', '$last_name')
Is that secure, if I use stripslashes with it?

I'm in your forums, writing sentences in a grammatically acceptable manner.
QUOTE Thanks
muso

 
muso's Avatar
 
Member Since: Jan 15, 2003
Location: Whangarei, New Zealand
Posts: 2
muso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond reputemuso has a reputation beyond repute
Mac Specs: Pwnt

muso is offline
Check your private messages

I'm in your forums, writing sentences in a grammatically acceptable manner.
QUOTE Thanks
Murlyn

 
Murlyn's Avatar
 
Member Since: Jun 11, 2003
Location: Mount Vernon, WA
Posts: 4,909
Murlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to all
Mac Specs: MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2

Murlyn is offline
Yeah I mean using PHP_SELF.. try to make sure and use the new global variables though.. so $_SERVER['PHP_SELF'] and $_POST['firstname'] etc etc And actually you wont need to do anything to that input because it should automatically add slashes to your incoming data..

So let's say $_POST['lastname'] was O'Connel then it would actually be O\'Connel which escapes the apostrophe.. and tells mysql to not use it as part of the sql statement.. that it's actually part of the value..

So something like this:

INSERT INTO tablename VALUES ('{$_POST['firstname']}', '{$_POST['lastname']}');

As you can see, surrounding the variables are single quotes.. now since the data within will have their single quotes escaped.. it shouldnt matter what kind of stuff someone puts in the fields.. they shouldnt be able to add any damaging code, without it throwing up an error.
QUOTE Thanks

Post Reply New Thread Subscribe


« XHTML buzz | Forms »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
Wi-Fi Security schweb Schweb's Lounge 12 05-15-2009 04:31 PM
Removing MySQL from Panther 3.6 vawolf OS X - Operating System 0 12-07-2004 09:25 PM
Apple releases new Panther security update Murlyn OS X - Operating System 2 11-04-2003 05:51 PM
@Stake issues security advisories for Jaguar Murlyn OS X - Operating System 0 10-29-2003 03:31 PM
Severe Flash Security Flaw schweb Apple Rumors and Reports 1 03-04-2003 01:03 PM

All times are GMT -4. The time now is 01:57 AM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?