JustinK101 Posted September 15, 2006 Share Posted September 15, 2006 Hello all, I am devolving an application that companies will HOPEFULLY :) buy and use. I am a little concerned about security though, because they will be entering sensitive information. I am decently experienced with PHP and MySQL but what are some general security tips and holes? I am not doing any IO, purely storage and retrieval from MySQL. I will be using mail() though, and I know there some issues related to that. How about MySQL injection attacks, what’s the easiest fix for that? I purely use variables in their right scope, i.e. I don’t take advantage of REGISTER GLOBALS which I know is one good security measure. Thanks for additional advice. Link to comment https://forums.phpfreaks.com/topic/20834-securing-my-php-application-for-buisness-use/ Share on other sites More sharing options...
markbett Posted September 15, 2006 Share Posted September 15, 2006 Ten Security Checks for PHP, Part 1by Clancy Malcolmhttp://www.onlamp.com/pub/a/php/2003/03/20/php_security.html=======http://uk2.php.net/mysql_real_escape_stringExample 3. A "Best Practice" queryUsing mysql_real_escape_string() around each variable prevents SQL Injection. This example demonstrates the "best practice" method for querying a database, independent of the Magic Quotes setting.[code]<?php// Quote variable to make safefunction quote_smart($value){ // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number or a numeric string if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value;}// Connect$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') OR die(mysql_error());// Make a safe query$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", quote_smart($_POST['username']), quote_smart($_POST['password']));mysql_query($query);?>[/code]The query will now execute correctly, and SQL Injection attacks will not work. Link to comment https://forums.phpfreaks.com/topic/20834-securing-my-php-application-for-buisness-use/#findComment-92217 Share on other sites More sharing options...
JustinK101 Posted September 15, 2006 Author Share Posted September 15, 2006 [b]Thanks for tips Mark[/b]. Unfortunately I have already written a lot of this code, and changing all my queries to implement the function call quote_smart() on every variable is nothing-less than a disaster and headache. Looks like smart_quotes_gtc going to have to be good enough, unless I feel ambitious and want to change all my queries. Any other idea to simply my life?Currently my queries look like:$sql = "SELECT first_name, last_name, company_name FROM customers WHERE customer_id = " . $_POST['customer_id'] . " AND status = '" . $isActive . "'";Any easy fix for queries in that format? Link to comment https://forums.phpfreaks.com/topic/20834-securing-my-php-application-for-buisness-use/#findComment-92226 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.