Jump to content

Archived

This topic is now archived and is closed to further replies.

JustinK101

Securing My PHP Application For Buisness Use

Recommended Posts

Hello all, I am devolving an application that companies will HOPEFULLY :) buy and use. I am a little concerned about security though, because they will be entering sensitive information. I am decently experienced with PHP and MySQL but what are some general security tips and holes?

I am not doing any IO, purely storage and retrieval from MySQL. I will be using mail() though, and I know there some issues related to that. How about MySQL injection attacks, what’s the easiest fix for that? I purely use variables in their right scope, i.e. I don’t take advantage of REGISTER GLOBALS which I know is one good security measure. Thanks for additional advice.

Share this post


Link to post
Share on other sites
Ten Security Checks for PHP, Part 1
by Clancy Malcolm
http://www.onlamp.com/pub/a/php/2003/03/20/php_security.html

=======

http://uk2.php.net/mysql_real_escape_string

Example 3. A "Best Practice" query

Using mysql_real_escape_string() around each variable prevents SQL Injection. This example demonstrates the "best practice" method for querying a database, independent of the Magic Quotes setting.

[code]<?php
// Quote variable to make safe
function quote_smart($value)
{
  // Stripslashes
  if (get_magic_quotes_gpc()) {
      $value = stripslashes($value);
  }
  // Quote if not a number or a numeric string
  if (!is_numeric($value)) {
      $value = "'" . mysql_real_escape_string($value) . "'";
  }
  return $value;
}

// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
  OR die(mysql_error());

// Make a safe query
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
          quote_smart($_POST['username']),
          quote_smart($_POST['password']));

mysql_query($query);
?>[/code]
The query will now execute correctly, and SQL Injection attacks will not work.

Share this post


Link to post
Share on other sites
[b]Thanks for tips Mark[/b]. Unfortunately I have already written a lot of this code, and changing all my queries to implement the function call quote_smart() on every variable is nothing-less than a disaster and headache. Looks like smart_quotes_gtc going to have to be good enough, unless I feel ambitious and want to change all my queries. Any other idea to simply my life?

Currently my queries look like:

$sql = "SELECT first_name, last_name, company_name FROM customers WHERE customer_id = " . $_POST['customer_id'] . " AND status = '" . $isActive . "'";

Any easy fix for queries in that format?

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.