Jump to content


Photo

Securing My PHP Application For Buisness Use


  • Please log in to reply
2 replies to this topic

#1 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 15 September 2006 - 07:15 AM

Hello all, I am devolving an application that companies will HOPEFULLY :) buy and use. I am a little concerned about security though, because they will be entering sensitive information. I am decently experienced with PHP and MySQL but what are some general security tips and holes?

I am not doing any IO, purely storage and retrieval from MySQL. I will be using mail() though, and I know there some issues related to that. How about MySQL injection attacks, what’s the easiest fix for that? I purely use variables in their right scope, i.e. I don’t take advantage of REGISTER GLOBALS which I know is one good security measure. Thanks for additional advice.

#2 markbett

markbett
  • Members
  • PipPipPip
  • Advanced Member
  • 133 posts

Posted 15 September 2006 - 07:58 AM

Ten Security Checks for PHP, Part 1
by Clancy Malcolm
http://www.onlamp.co...p_security.html

=======

http://uk2.php.net/m...l_escape_string

Example 3. A "Best Practice" query

Using mysql_real_escape_string() around each variable prevents SQL Injection. This example demonstrates the "best practice" method for querying a database, independent of the Magic Quotes setting.

<?php
// Quote variable to make safe
function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
   OR die(mysql_error());

// Make a safe query
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
           quote_smart($_POST['username']),
           quote_smart($_POST['password']));

mysql_query($query);
?>
The query will now execute correctly, and SQL Injection attacks will not work.



#3 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 15 September 2006 - 08:24 AM

Thanks for tips Mark. Unfortunately I have already written a lot of this code, and changing all my queries to implement the function call quote_smart() on every variable is nothing-less than a disaster and headache. Looks like smart_quotes_gtc going to have to be good enough, unless I feel ambitious and want to change all my queries. Any other idea to simply my life?

Currently my queries look like:

$sql = "SELECT first_name, last_name, company_name FROM customers WHERE customer_id = " . $_POST['customer_id'] . " AND status = '" . $isActive . "'";

Any easy fix for queries in that format?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users