Jump to content

Securing My PHP Application For Buisness Use

JustinK101

By JustinK101
in PHP Coding Help

 Share

Recommended Posts

JustinK101 Advanced Member

JustinK101

Posted
Posted
Hello all, I am devolving an application that companies will HOPEFULLY :) buy and use. I am a little concerned about security though, because they will be entering sensitive information. I am decently experienced with PHP and MySQL but what are some general security tips and holes?

I am not doing any IO, purely storage and retrieval from MySQL. I will be using mail() though, and I know there some issues related to that. How about MySQL injection attacks, what’s the easiest fix for that? I purely use variables in their right scope, i.e. I don’t take advantage of REGISTER GLOBALS which I know is one good security measure. Thanks for additional advice.
Link to comment
Share on other sites
markbett Member

markbett

Posted
Posted
Ten Security Checks for PHP, Part 1
by Clancy Malcolm
http://www.onlamp.com/pub/a/php/2003/03/20/php_security.html

=======

http://uk2.php.net/mysql_real_escape_string

Example 3. A "Best Practice" query

Using mysql_real_escape_string() around each variable prevents SQL Injection. This example demonstrates the "best practice" method for querying a database, independent of the Magic Quotes setting.

[code]<?php
// Quote variable to make safe
function quote_smart($value)
{
  // Stripslashes
  if (get_magic_quotes_gpc()) {
      $value = stripslashes($value);
  }
  // Quote if not a number or a numeric string
  if (!is_numeric($value)) {
      $value = "'" . mysql_real_escape_string($value) . "'";
  }
  return $value;
}

// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
  OR die(mysql_error());

// Make a safe query
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
          quote_smart($_POST['username']),
          quote_smart($_POST['password']));

mysql_query($query);
?>[/code]
The query will now execute correctly, and SQL Injection attacks will not work.

Link to comment
Share on other sites
JustinK101 Advanced Member

JustinK101

Posted
  • Author
Posted
[b]Thanks for tips Mark[/b]. Unfortunately I have already written a lot of this code, and changing all my queries to implement the function call quote_smart() on every variable is nothing-less than a disaster and headache. Looks like smart_quotes_gtc going to have to be good enough, unless I feel ambitious and want to change all my queries. Any other idea to simply my life?

Currently my queries look like:

$sql = "SELECT first_name, last_name, company_name FROM customers WHERE customer_id = " . $_POST['customer_id'] . " AND status = '" . $isActive . "'";

Any easy fix for queries in that format?
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.