fusionpixel Posted February 24, 2006 Share Posted February 24, 2006 So I finished a small application that I am using on my computer only to avoid any problems on the net in regards to security.Since there is no easy way to ask a question like “What is the best way to create a secure application” I decided to send the question out there and ask to what everyone thinks or believes is a secure way to create their applications.I have been working with PHP/mySQL as user not much as developer for the past years but now trying to learn more about the developer side, I have hit a wall once I have faced Security.For a while I was certain that putting my sql connection in a PHP file it was ok, this believe was even stronger while using different applications out there that place their connections logarithms inside folders named as simple as “connections”, and if we want to examine this theory further if you create a Database Connection in Dreamweaver the application itself will create a folder titled “Connections” and inside that folder it will write the scripts necessary to connect to your DataBase.With all this in mind I ran into a basic tutorial that highlighted the importance of having your connections secure and one recommendation was to place your connections script (or PHP file) under a password protected directory. This would be an overkill IMHO and not only that but securing a password with another password?Comments?<? moved from misc ?> Quote Link to comment Share on other sites More sharing options...
Caesar Posted February 24, 2006 Share Posted February 24, 2006 Please do not generate code in Dreamweaver. I've had to clean up other people's messes many times...and I so loathe cleaning up DW generated code. ugly as hell. And not always the most logical approaches in coding. No self-respecting person can create a serious project using DW. [img src=\"http://forum.mamboserver.com/images/smilie/icon_razz.gif\" border=\"0\" alt=\"IPB Image\" /]Anyway, my comment....there is no such thing as "too secure". This of course depends on what your project is. If you are creating a site that will be storing critical personal information....you want to take every measure possible to make it more dificult to access said info. Quote Link to comment Share on other sites More sharing options...
fusionpixel Posted February 24, 2006 Author Share Posted February 24, 2006 I use PHP Designer or Zend for my PHP projects, and if I must use Dreamweaver I use it in Code view :P. I was just making reference on how DW behaves on reference to DB connections.So... I know there is different ways of handling security and the ones pointed above were some that I have seen first hand. What would you say its your best secure wayt to handle DB connections?L) Quote Link to comment Share on other sites More sharing options...
Caesar Posted February 24, 2006 Share Posted February 24, 2006 Well, for starters, I always make sure the connection can only be made internallyExample:in my db connection file, I always add an extra if statement:[code]if ($_SERVER['SERVER_NAME'] == "www.thisdomain.com"){@mysql_connect ('localhost', 'username', 'password') or die('<b>Connection Failed</b>');mysql_select_db(dbname) or die('<b>Database Connection Failed</b>');$dbnam = "dbname";$var = @mysql_connect('localhost', 'username', 'password') or die(Failed);}else{die ("Die!!!!!!");}[/code]I also try to avoid using folders with obvious names like "connections". Maybe a slight variation, like "cons" or such. I also track IP's and ISP's in my login scripts. ...I use a number of things I guess. Quote Link to comment Share on other sites More sharing options...
fusionpixel Posted February 24, 2006 Author Share Posted February 24, 2006 So you can say that it is safe to leave the files in the server without any extra security like .haccess or anything like that? Quote Link to comment Share on other sites More sharing options...
wickning1 Posted February 25, 2006 Share Posted February 25, 2006 Your MySQL server should only be accepting connections from a very small number of known IPs (or domain names). Additionally, you can firewall the MySQL port and only access the database from the local machine or inside your own network. If you set it up correctly, you could put your username and password on the evening news and not be worried.Just watch out for other kinds of attacks that could compromise your web server machine. Insertion attacks, buffer overflows, trojans, etc. Quote Link to comment Share on other sites More sharing options...
Pezzoni Posted February 25, 2006 Share Posted February 25, 2006 Validatation.Any bit of data which a user could potentially fiddle with (don't forget hidden form fields etc as well, just because they can't be seen, it doesn't mean they can't be played with), so essentially and GET or POST data should be heavily validated. If it should just be an integer, then validate it as such. Kill the script if anything else gets in there. If the input is text, then addslashes, strip HTML... Whatver. Just make sure nothing can be entered that you don't want in there! Quote Link to comment Share on other sites More sharing options...
fusionpixel Posted February 25, 2006 Author Share Posted February 25, 2006 [!--quoteo(post=349260:date=Feb 25 2006, 03:03 AM:name=wickning1)--][div class=\'quotetop\']QUOTE(wickning1 @ Feb 25 2006, 03:03 AM) [snapback]349260[/snapback][/div][div class=\'quotemain\'][!--quotec--]Your MySQL server should only be accepting connections from a very small number of known IPs (or domain names). Additionally, you can firewall the MySQL port and only access the database from the local machine or inside your own network. If you set it up correctly, you could put your username and password on the evening news and not be worried.Just watch out for other kinds of attacks that could compromise your web server machine. Insertion attacks, buffer overflows, trojans, etc.[/quote]Good points mate but what happens with people who are under shared servers Those who dont have the ability to set up the server themselves? Quote Link to comment Share on other sites More sharing options...
wickning1 Posted February 26, 2006 Share Posted February 26, 2006 Ask your host about the security situation. If they've given you a database on their mysql server and an account that can access it, you should be able to ask them to limit access so that only your web server has permission to send queries. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.