Jump to content

Recommended Posts

<?php
# database connection scripts 
# the next 4 lines you can modify 
$dbhost = 'localhost'; 
$dbusername = 'root'; 
$dbpasswd = ''; 
$database_name = 'share'; 

#under here, don't touch! 
$connection = mysql_connect("$dbhost","$dbusername","$dbpasswd") 
    or die ("Couldn't connect to server."); 
$db = mysql_select_db("$database_name", $connection) 
    or die("Couldn't select database."); 

if(!get_magic_quotes_gpc())
{
  $_GET = array_map('mysql_real_escape_string', $_GET); 
  $_POST = array_map('mysql_real_escape_string', $_POST); 
  $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
else
{  
   $_GET = array_map('stripslashes', $_GET); 
   $_POST = array_map('stripslashes', $_POST); 
   $_COOKIE = array_map('stripslashes', $_COOKIE);
   $_GET = array_map('mysql_real_escape_string', $_GET); 
   $_POST = array_map('mysql_real_escape_string', $_POST); 
   $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}

?>

 

This is my database connection script would you say this was secure ?, if not what could i need to make it more secure ?

 

Many thanks

 

James.

Link to comment
https://forums.phpfreaks.com/topic/146680-is-this-secure/
Share on other sites

Actually, i didn't know there is a secure & non secure connections

 

I connect to the database using this only...

 

$con=mysql_connect("$connection", "$name", "$pass"); 
mysql_select_db("$database", $con); 

 

Does that mean it is not secure!

 

 

No but every page i have in my project is using requiring this script so i need it pretty tight on security if you know what i mean ?

Link to comment
https://forums.phpfreaks.com/topic/146680-is-this-secure/#findComment-770074
Share on other sites

really depends on what your doing on your site..

 

Their is no one quick fix/magic bullet when it comes to security!

 

if your question is will this stop SQL injection from POST, GET, or COOKIEs then yes it will stop most probably all injections entered via POST, GET, or COOKIEs..

 

Link to comment
https://forums.phpfreaks.com/topic/146680-is-this-secure/#findComment-770083
Share on other sites

really depends on what your doing on your site..

 

Their is no one quick fix/magic bullet when it comes to security!

 

if your question is will this stop SQL injection from POST, GET, or COOKIEs then yes it will stop most probably all injections entered via POST, GET, or COOKIEs..

 

yes thats basically all i need to know :) thankyou (*).

Link to comment
https://forums.phpfreaks.com/topic/146680-is-this-secure/#findComment-770086
Share on other sites

<?php
# database connection scripts 
# the next 4 lines you can modify 
$dbhost = 'localhost'; 
$dbusername = 'root'; 
$dbpasswd = ''; 
$database_name = 'share'; 

#under here, don't touch! 
$connection = mysql_connect("$dbhost","$dbusername","$dbpasswd") 
    or die ("Couldn't connect to server."); 
$db = mysql_select_db("$database_name", $connection) 
    or die("Couldn't select database."); 

if(!get_magic_quotes_gpc())
{
  $_GET = array_map('mysql_real_escape_string', $_GET); 
  $_POST = array_map('mysql_real_escape_string', $_POST); 
  $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
else
{  
   $_GET = array_map('stripslashes', $_GET); 
   $_POST = array_map('stripslashes', $_POST); 
   $_COOKIE = array_map('stripslashes', $_COOKIE);
   $_GET = array_map('mysql_real_escape_string', $_GET); 
   $_POST = array_map('mysql_real_escape_string', $_POST); 
   $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}

?>

 

This is my database connection script would you say this was secure ?, if not what could i need to make it more secure ?

 

Many thanks

 

James.

 

I don't believe that array_map used at the top-level will work on request data that is itself an array (checkbox results, for example).  I use the following function, which I got from someone else on here:

 

<?php
function clean($value)
{
	if (is_array($value))
	{
		foreach($value as $k => $v)
		{
			$value[$k] = clean($v);
		}
	}
	else
	{
		if(get_magic_quotes_gpc() == 1)
		{
			$value = stripslashes($value);
		}

		$value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); //convert input into friendly characters to stop XSS
		$value = mysql_real_escape_string($value);
	}
   
	return $value;
}
?>

 

Other than that, make sure you validate incoming data...a name, for instance, shouldn't contain an integer.

Link to comment
https://forums.phpfreaks.com/topic/146680-is-this-secure/#findComment-770088
Share on other sites

Array_map does work properly in that code, test it if you don't believe.

 

Code using just mysql_real_escape_string() won't prevent sql injection with numeric data, only string data (which is why mysql_real_escape_string() is called what it is.) Numeric data must be validated or cast as numeric because it is possible to inject sql using hex (which is automatically treated as a string) without using quotes in it.

Link to comment
https://forums.phpfreaks.com/topic/146680-is-this-secure/#findComment-770098
Share on other sites

Numeric data must be validated or cast as numeric because it is possible to inject sql using hex (which is automatically treated as a string) without using quotes in it.

Things like this are why I like using MySQLi and its prepared statements.

 

So MySQLi protects against that then?

Link to comment
https://forums.phpfreaks.com/topic/146680-is-this-secure/#findComment-770130
Share on other sites

Numeric data must be validated or cast as numeric because it is possible to inject sql using hex (which is automatically treated as a string) without using quotes in it.

Things like this are why I like using MySQLi and its prepared statements.

 

So MySQLi protects against that then?

 

With prepared statements, type is enforced.  You can see how to construct them here: http://us.php.net/manual/en/mysqli.prepare.php

 

And, the kind of datatypes it accepts here: http://us.php.net/manual/en/mysqli-stmt.bind-param.php

 

Prepared statements are also automatically escaped, so you don't need to run something like mysql_real_escape_string().

Link to comment
https://forums.phpfreaks.com/topic/146680-is-this-secure/#findComment-770144
Share on other sites

Prepared statements are also automatically escaped, so you don't need to run something like mysql_real_escape_string().

 

Wow I didn't realize prepared statements are auto escaped! Thanks for the links as well!

 

would this work ?

 

<?php
# database connection scripts 
# the next 4 lines you can modify 
$dbhost = 'localhost'; 
$dbusername = 'root'; 
$dbpasswd = ''; 
$database_name = 'share'; 

#under here, don't touch! 
$connection = mysql_connect("$dbhost","$dbusername","$dbpasswd") 
    or die ("Couldn't connect to server."); 
$db = mysql_select_db("$database_name", $connection) 
    or die("Couldn't select database."); 

if(!get_magic_quotes_gpc())
{
  $_GET = array_map('mysql_real_escape_string', $_GET); 
  $_POST = array_map('mysql_real_escape_string', $_POST); 
  $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
else
{  
   $_GET = array_map('stripslashes', $_GET); 
   $_POST = array_map('stripslashes', $_POST); 
   $_COOKIE = array_map('stripslashes', $_COOKIE);
   $_GET = array_map('mysql_real_escape_string', $_GET); 
   $_POST = array_map('mysql_real_escape_string', $_POST); 
   $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
function clean($value)
{
if (is_array($value))
{
foreach($value as $k => $v)
{
$value[$k] = clean($v);
}
}
else
{
if(get_magic_quotes_gpc() == 1)
{
$value = stripslashes($value);
}

$value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); 
$value = mysql_real_escape_string($value);
}

return $value;
}



?>

Link to comment
https://forums.phpfreaks.com/topic/146680-is-this-secure/#findComment-770202
Share on other sites

would this work ?

 

Isn't that the same code as previous? I believe someone recently said it was working. It looks like a great script! I would change your mysql_real_escape_string to mysqli. That's my suggestion anyway.

 

http://us.php.net/manual/en/mysqli.real-escape-string.php

Link to comment
https://forums.phpfreaks.com/topic/146680-is-this-secure/#findComment-770231
Share on other sites

Prepared statements are also automatically escaped, so you don't need to run something like mysql_real_escape_string().

 

Wow I didn't realize prepared statements are auto escaped! Thanks for the links as well!

 

would this work ?

 

<?php
# database connection scripts 
# the next 4 lines you can modify 
$dbhost = 'localhost'; 
$dbusername = 'root'; 
$dbpasswd = ''; 
$database_name = 'share'; 

#under here, don't touch! 
$connection = mysql_connect("$dbhost","$dbusername","$dbpasswd") 
    or die ("Couldn't connect to server."); 
$db = mysql_select_db("$database_name", $connection) 
    or die("Couldn't select database."); 

if(!get_magic_quotes_gpc())
{
  $_GET = array_map('mysql_real_escape_string', $_GET); 
  $_POST = array_map('mysql_real_escape_string', $_POST); 
  $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
else
{  
   $_GET = array_map('stripslashes', $_GET); 
   $_POST = array_map('stripslashes', $_POST); 
   $_COOKIE = array_map('stripslashes', $_COOKIE);
   $_GET = array_map('mysql_real_escape_string', $_GET); 
   $_POST = array_map('mysql_real_escape_string', $_POST); 
   $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
function clean($value)
{
if (is_array($value))
{
foreach($value as $k => $v)
{
$value[$k] = clean($v);
}
}
else
{
if(get_magic_quotes_gpc() == 1)
{
$value = stripslashes($value);
}

$value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); 
$value = mysql_real_escape_string($value);
}

return $value;
}



?>

 

Change it around to:

 

<?php
function clean($value)
{
if (is_array($value))
{
foreach($value as $k => $v)
{
$value[$k] = clean($v);
}
}
else
{
if(get_magic_quotes_gpc() == 1)
{
$value = stripslashes($value);
}

$value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); 
$value = mysql_real_escape_string($value);
}

return $value;
}

# database connection scripts 
# the next 4 lines you can modify 
$dbhost = 'localhost'; 
$dbusername = 'root'; 
$dbpasswd = ''; 
$database_name = 'share'; 

#under here, don't touch! 
$connection = mysql_connect("$dbhost","$dbusername","$dbpasswd") 
    or die ("Couldn't connect to server."); 
$db = mysql_select_db("$database_name", $connection) 
    or die("Couldn't select database."); 

$_POST = clean($_POST);
$_GET = clean($_GET);
$_COOKIE = clean($_COOKIE);
?>

Link to comment
https://forums.phpfreaks.com/topic/146680-is-this-secure/#findComment-770244
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.