Jump to content


Photo

The truth about mySQL security


  • Please log in to reply
8 replies to this topic

#1 fusionpixel

fusionpixel
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 24 February 2006 - 08:04 PM

So I finished a small application that I am using on my computer only to avoid any problems on the net in regards to security.

Since there is no easy way to ask a question like “What is the best way to create a secure application” I decided to send the question out there and ask to what everyone thinks or believes is a secure way to create their applications.

I have been working with PHP/mySQL as user not much as developer for the past years but now trying to learn more about the developer side, I have hit a wall once I have faced Security.

For a while I was certain that putting my sql connection in a PHP file it was ok, this believe was even stronger while using different applications out there that place their connections logarithms inside folders named as simple as “connections”, and if we want to examine this theory further if you create a Database Connection in Dreamweaver the application itself will create a folder titled “Connections” and inside that folder it will write the scripts necessary to connect to your DataBase.

With all this in mind I ran into a basic tutorial that highlighted the importance of having your connections secure and one recommendation was to place your connections script (or PHP file) under a password protected directory. This would be an overkill IMHO and not only that but securing a password with another password?

Comments?

<? moved from misc ?>
Did you know there is a manual for PHP? [a href="http://" target="_blank"]http://www.php.net[/a]
Did you know there is a manual for mySQL? [a href="http://" target="_blank"]http://www.mysql.org[/a]

#2 Caesar

Caesar
  • Members
  • PipPipPip
  • Advanced Member
  • 1,025 posts

Posted 24 February 2006 - 09:22 PM

Please do not generate code in Dreamweaver. I've had to clean up other people's messes many times...and I so loathe cleaning up DW generated code. ugly as hell. And not always the most logical approaches in coding. No self-respecting person can create a serious project using DW. [img src=\"http://forum.mamboserver.com/images/smilie/icon_razz.gif\" border=\"0\" alt=\"IPB Image\" /]

Anyway, my comment....there is no such thing as "too secure". This of course depends on what your project is. If you are creating a site that will be storing critical personal information....you want to take every measure possible to make it more dificult to access said info.


PHP Ninja

#3 fusionpixel

fusionpixel
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 24 February 2006 - 09:29 PM

I use PHP Designer or Zend for my PHP projects, and if I must use Dreamweaver I use it in Code view :P. I was just making reference on how DW behaves on reference to DB connections.

So... I know there is different ways of handling security and the ones pointed above were some that I have seen first hand. What would you say its your best secure wayt to handle DB connections?

L)
Did you know there is a manual for PHP? [a href="http://" target="_blank"]http://www.php.net[/a]
Did you know there is a manual for mySQL? [a href="http://" target="_blank"]http://www.mysql.org[/a]

#4 Caesar

Caesar
  • Members
  • PipPipPip
  • Advanced Member
  • 1,025 posts

Posted 24 February 2006 - 09:54 PM

Well, for starters, I always make sure the connection can only be made internally

Example:

in my db connection file, I always add an extra if statement:

if ($_SERVER['SERVER_NAME'] == "www.thisdomain.com")

{

@mysql_connect ('localhost', 'username', 'password') or die('<b>Connection Failed</b>');

mysql_select_db(dbname) or die('<b>Database Connection Failed</b>');

$dbnam = "dbname";

$var = @mysql_connect('localhost', 'username', 'password') or die(Failed);

}

else

{

die ("Die!!!!!!");

}


I also try to avoid using folders with obvious names like "connections". Maybe a slight variation, like "cons" or such. I also track IP's and ISP's in my login scripts. ...I use a number of things I guess.
PHP Ninja

#5 fusionpixel

fusionpixel
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 24 February 2006 - 11:39 PM

So you can say that it is safe to leave the files in the server without any extra security like .haccess or anything like that?

Did you know there is a manual for PHP? [a href="http://" target="_blank"]http://www.php.net[/a]
Did you know there is a manual for mySQL? [a href="http://" target="_blank"]http://www.mysql.org[/a]

#6 wickning1

wickning1
  • Members
  • PipPipPip
  • Advanced Member
  • 405 posts

Posted 25 February 2006 - 09:03 AM

Your MySQL server should only be accepting connections from a very small number of known IPs (or domain names). Additionally, you can firewall the MySQL port and only access the database from the local machine or inside your own network.

If you set it up correctly, you could put your username and password on the evening news and not be worried.

Just watch out for other kinds of attacks that could compromise your web server machine. Insertion attacks, buffer overflows, trojans, etc.

#7 Pezzoni

Pezzoni
  • Members
  • PipPip
  • Member
  • 22 posts

Posted 25 February 2006 - 02:48 PM

Validatation.
Any bit of data which a user could potentially fiddle with (don't forget hidden form fields etc as well, just because they can't be seen, it doesn't mean they can't be played with), so essentially and GET or POST data should be heavily validated. If it should just be an integer, then validate it as such. Kill the script if anything else gets in there. If the input is text, then addslashes, strip HTML... Whatver. Just make sure nothing can be entered that you don't want in there!

#8 fusionpixel

fusionpixel
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 25 February 2006 - 08:34 PM

[!--quoteo(post=349260:date=Feb 25 2006, 03:03 AM:name=wickning1)--][div class=\'quotetop\']QUOTE(wickning1 @ Feb 25 2006, 03:03 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Your MySQL server should only be accepting connections from a very small number of known IPs (or domain names). Additionally, you can firewall the MySQL port and only access the database from the local machine or inside your own network.

If you set it up correctly, you could put your username and password on the evening news and not be worried.

Just watch out for other kinds of attacks that could compromise your web server machine. Insertion attacks, buffer overflows, trojans, etc.
[/quote]

Good points mate but what happens with people who are under shared servers Those who dont have the ability to set up the server themselves?
Did you know there is a manual for PHP? [a href="http://" target="_blank"]http://www.php.net[/a]
Did you know there is a manual for mySQL? [a href="http://" target="_blank"]http://www.mysql.org[/a]

#9 wickning1

wickning1
  • Members
  • PipPipPip
  • Advanced Member
  • 405 posts

Posted 26 February 2006 - 01:23 AM

Ask your host about the security situation. If they've given you a database on their mysql server and an account that can access it, you should be able to ask them to limit access so that only your web server has permission to send queries.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users