Results 1 to 6 of 6

Thread: mySQL security

  1. #1
    mySQL security
    muso's Avatar
    Member Since
    Jan 15, 2003
    Location
    Whangarei, New Zealand
    Posts
    2
    Specs:
    Pwnt
    mySQL security
    I have a simple xhtml page with a form asking for the user's first name, last name, email address and phone number. The form submits its data to 'database.php' which is a simple php script that adds the given data to the table 'entries' in the database 'one'.

    At the moment, it's nothing more than that. In the php page I open the connection to the mysql server through a separate script in a subdirectory which will eventually be protected with htaccess.

    Security is of extreme importance in this situation. What measures can I take to prevent a malicious user entering a set of commands that will close the query and give them full access to my database (eg entering a single/double quote and a ')' to terminate the running command)?
    I'm in your forums, writing sentences in a grammatically acceptable manner.

  2. #2
    mySQL security
    Murlyn's Avatar
    Member Since
    Jun 11, 2003
    Location
    Mount Vernon, WA
    Posts
    4,915
    Specs:
    MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2
    Verify all data. and what I would do is post to your original page and then send them to a different page saying thank you.

    For you login data, make sure that file is kept outside of the web directories that way a person can not access it through the web.. only through ftp, ssh, etc but then they have to have the password.. if they get the password then it really does not matter what kind of security you do..

    Try urlencoding and urldecoding.. try stripslashes, try addslashes..

    I put all my data into single quotes.. even those that are just numbers..

    I do remove the slashes and then add my own slashes to the data.. that should take care of all yoru problems

  3. #3
    mySQL security
    Murlyn's Avatar
    Member Since
    Jun 11, 2003
    Location
    Mount Vernon, WA
    Posts
    4,915
    Specs:
    MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2
    Oh hey Muso.. where in NZ are you? I was and am still thinking of moving there.. i absolutely love the people! the land! everything.. just trying to convince my fianceť is hard

  4. #4
    mySQL security
    muso's Avatar
    Member Since
    Jan 15, 2003
    Location
    Whangarei, New Zealand
    Posts
    2
    Specs:
    Pwnt
    You mean post to PHP_SELF() or whatever, and have the database script in the same file?

    Do single quotes prevent mySQL commands being entered? I think the only way I could even get the form data into the database was to use something like:
    insert into table values('$first_name', '$last_name')
    Is that secure, if I use stripslashes with it?
    I'm in your forums, writing sentences in a grammatically acceptable manner.

  5. #5
    mySQL security
    muso's Avatar
    Member Since
    Jan 15, 2003
    Location
    Whangarei, New Zealand
    Posts
    2
    Specs:
    Pwnt
    Check your private messages
    I'm in your forums, writing sentences in a grammatically acceptable manner.

  6. #6
    mySQL security
    Murlyn's Avatar
    Member Since
    Jun 11, 2003
    Location
    Mount Vernon, WA
    Posts
    4,915
    Specs:
    MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2
    Yeah I mean using PHP_SELF.. try to make sure and use the new global variables though.. so $_SERVER['PHP_SELF'] and $_POST['firstname'] etc etc And actually you wont need to do anything to that input because it should automatically add slashes to your incoming data..

    So let's say $_POST['lastname'] was O'Connel then it would actually be O\'Connel which escapes the apostrophe.. and tells mysql to not use it as part of the sql statement.. that it's actually part of the value..

    So something like this:

    INSERT INTO tablename VALUES ('{$_POST['firstname']}', '{$_POST['lastname']}');

    As you can see, surrounding the variables are single quotes.. now since the data within will have their single quotes escaped.. it shouldnt matter what kind of stuff someone puts in the fields.. they shouldnt be able to add any damaging code, without it throwing up an error.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. mySQL
    By burnedfaceless in forum Web Design and Hosting
    Replies: 1
    Last Post: 02-03-2014, 08:36 AM
  2. PHP MySql Security Question
    By mguise in forum Web Design and Hosting
    Replies: 0
    Last Post: 07-06-2011, 05:39 PM
  3. Problems with MySQL
    By scorpionbilli in forum Web Design and Hosting
    Replies: 18
    Last Post: 04-29-2008, 07:07 PM
  4. Replies: 5
    Last Post: 04-28-2008, 04:09 PM
  5. MySQL
    By ftjogoh in forum Web Design and Hosting
    Replies: 3
    Last Post: 11-21-2004, 11:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •