JustinK101 Posted September 15, 2006 Share Posted September 15, 2006 Hello all, I am devolving an application that companies will HOPEFULLY :) buy and use. I am a little concerned about security though, because they will be entering sensitive information. I am decently experienced with PHP and MySQL but what are some general security tips and holes? I am not doing any IO, purely storage and retrieval from MySQL. I will be using mail() though, and I know there some issues related to that. How about MySQL injection attacks, what’s the easiest fix for that? I purely use variables in their right scope, i.e. I don’t take advantage of REGISTER GLOBALS which I know is one good security measure. Thanks for additional advice. Quote Link to comment Share on other sites More sharing options...
markbett Posted September 15, 2006 Share Posted September 15, 2006 Ten Security Checks for PHP, Part 1by Clancy Malcolmhttp://www.onlamp.com/pub/a/php/2003/03/20/php_security.html=======http://uk2.php.net/mysql_real_escape_stringExample 3. A "Best Practice" queryUsing mysql_real_escape_string() around each variable prevents SQL Injection. This example demonstrates the "best practice" method for querying a database, independent of the Magic Quotes setting.[code]<?php// Quote variable to make safefunction quote_smart($value){ // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number or a numeric string if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value;}// Connect$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') OR die(mysql_error());// Make a safe query$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", quote_smart($_POST['username']), quote_smart($_POST['password']));mysql_query($query);?>[/code]The query will now execute correctly, and SQL Injection attacks will not work. Quote Link to comment Share on other sites More sharing options...
JustinK101 Posted September 15, 2006 Author Share Posted September 15, 2006 [b]Thanks for tips Mark[/b]. Unfortunately I have already written a lot of this code, and changing all my queries to implement the function call quote_smart() on every variable is nothing-less than a disaster and headache. Looks like smart_quotes_gtc going to have to be good enough, unless I feel ambitious and want to change all my queries. Any other idea to simply my life?Currently my queries look like:$sql = "SELECT first_name, last_name, company_name FROM customers WHERE customer_id = " . $_POST['customer_id'] . " AND status = '" . $isActive . "'";Any easy fix for queries in that format? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.