mySQL security

Joined
Jan 15, 2003
Messages
4
Reaction score
16
Points
3
Location
Whangarei, New Zealand
Your Mac's Specs
Pwnt
I have a simple xhtml page with a form asking for the user's first name, last name, email address and phone number. The form submits its data to 'database.php' which is a simple php script that adds the given data to the table 'entries' in the database 'one'.

At the moment, it's nothing more than that. In the php page I open the connection to the mysql server through a separate script in a subdirectory which will eventually be protected with htaccess.

Security is of extreme importance in this situation. What measures can I take to prevent a malicious user entering a set of commands that will close the query and give them full access to my database (eg entering a single/double quote and a ')' to terminate the running command)?
 
Joined
Jun 11, 2003
Messages
4,915
Reaction score
68
Points
48
Location
Mount Vernon, WA
Your Mac's Specs
MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2
Verify all data. and what I would do is post to your original page and then send them to a different page saying thank you.

For you login data, make sure that file is kept outside of the web directories that way a person can not access it through the web.. only through ftp, ssh, etc but then they have to have the password.. if they get the password then it really does not matter what kind of security you do..

Try urlencoding and urldecoding.. try stripslashes, try addslashes..

I put all my data into single quotes.. even those that are just numbers..

I do remove the slashes and then add my own slashes to the data.. that should take care of all yoru problems :)
 
Joined
Jun 11, 2003
Messages
4,915
Reaction score
68
Points
48
Location
Mount Vernon, WA
Your Mac's Specs
MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2
Oh hey Muso.. where in NZ are you? I was and am still thinking of moving there.. i absolutely love the people! the land! everything.. just trying to convince my fianceé is hard :(
 
OP
muso
Joined
Jan 15, 2003
Messages
4
Reaction score
16
Points
3
Location
Whangarei, New Zealand
Your Mac's Specs
Pwnt
You mean post to PHP_SELF() or whatever, and have the database script in the same file?

Do single quotes prevent mySQL commands being entered? I think the only way I could even get the form data into the database was to use something like:
insert into table values('$first_name', '$last_name')
Is that secure, if I use stripslashes with it?
 
OP
muso
Joined
Jan 15, 2003
Messages
4
Reaction score
16
Points
3
Location
Whangarei, New Zealand
Your Mac's Specs
Pwnt
Check your private messages :)
 
Joined
Jun 11, 2003
Messages
4,915
Reaction score
68
Points
48
Location
Mount Vernon, WA
Your Mac's Specs
MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2
Yeah I mean using PHP_SELF.. try to make sure and use the new global variables though.. so $_SERVER['PHP_SELF'] and $_POST['firstname'] etc etc And actually you wont need to do anything to that input because it should automatically add slashes to your incoming data..

So let's say $_POST['lastname'] was O'Connel then it would actually be O\'Connel which escapes the apostrophe.. and tells mysql to not use it as part of the sql statement.. that it's actually part of the value..

So something like this:

INSERT INTO tablename VALUES ('{$_POST['firstname']}', '{$_POST['lastname']}');

As you can see, surrounding the variables are single quotes.. now since the data within will have their single quotes escaped.. it shouldnt matter what kind of stuff someone puts in the fields.. they shouldnt be able to add any damaging code, without it throwing up an error.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top