Jump to content

Archived

This topic is now archived and is closed to further replies.

fusionpixel

The truth about mySQL security

Recommended Posts

So I finished a small application that I am using on my computer only to avoid any problems on the net in regards to security.

Since there is no easy way to ask a question like “What is the best way to create a secure application” I decided to send the question out there and ask to what everyone thinks or believes is a secure way to create their applications.

I have been working with PHP/mySQL as user not much as developer for the past years but now trying to learn more about the developer side, I have hit a wall once I have faced Security.

For a while I was certain that putting my sql connection in a PHP file it was ok, this believe was even stronger while using different applications out there that place their connections logarithms inside folders named as simple as “connections”, and if we want to examine this theory further if you create a Database Connection in Dreamweaver the application itself will create a folder titled “Connections” and inside that folder it will write the scripts necessary to connect to your DataBase.

With all this in mind I ran into a basic tutorial that highlighted the importance of having your connections secure and one recommendation was to place your connections script (or PHP file) under a password protected directory. This would be an overkill IMHO and not only that but securing a password with another password?

Comments?

<? moved from misc ?>

Share this post


Link to post
Share on other sites
Please do not generate code in Dreamweaver. I've had to clean up other people's messes many times...and I so loathe cleaning up DW generated code. ugly as hell. And not always the most logical approaches in coding. No self-respecting person can create a serious project using DW. [img src=\"http://forum.mamboserver.com/images/smilie/icon_razz.gif\" border=\"0\" alt=\"IPB Image\" /]

Anyway, my comment....there is no such thing as "too secure". This of course depends on what your project is. If you are creating a site that will be storing critical personal information....you want to take every measure possible to make it more dificult to access said info.

Share this post


Link to post
Share on other sites
I use PHP Designer or Zend for my PHP projects, and if I must use Dreamweaver I use it in Code view :P. I was just making reference on how DW behaves on reference to DB connections.

So... I know there is different ways of handling security and the ones pointed above were some that I have seen first hand. What would you say its your best secure wayt to handle DB connections?

L)

Share this post


Link to post
Share on other sites
Well, for starters, I always make sure the connection can only be made internally

Example:

in my db connection file, I always add an extra if statement:

[code]if ($_SERVER['SERVER_NAME'] == "www.thisdomain.com")

{

@mysql_connect ('localhost', 'username', 'password') or die('<b>Connection Failed</b>');

mysql_select_db(dbname) or die('<b>Database Connection Failed</b>');

$dbnam = "dbname";

$var = @mysql_connect('localhost', 'username', 'password') or die(Failed);

}

else

{

die ("Die!!!!!!");

}

[/code]

I also try to avoid using folders with obvious names like "connections". Maybe a slight variation, like "cons" or such. I also track IP's and ISP's in my login scripts. ...I use a number of things I guess.

Share this post


Link to post
Share on other sites
So you can say that it is safe to leave the files in the server without any extra security like .haccess or anything like that?

Share this post


Link to post
Share on other sites
Your MySQL server should only be accepting connections from a very small number of known IPs (or domain names). Additionally, you can firewall the MySQL port and only access the database from the local machine or inside your own network.

If you set it up correctly, you could put your username and password on the evening news and not be worried.

Just watch out for other kinds of attacks that could compromise your web server machine. Insertion attacks, buffer overflows, trojans, etc.

Share this post


Link to post
Share on other sites
Validatation.
Any bit of data which a user could potentially fiddle with (don't forget hidden form fields etc as well, just because they can't be seen, it doesn't mean they can't be played with), so essentially and GET or POST data should be heavily validated. If it should just be an integer, then validate it as such. Kill the script if anything else gets in there. If the input is text, then addslashes, strip HTML... Whatver. Just make sure nothing can be entered that you don't want in there!

Share this post


Link to post
Share on other sites
[!--quoteo(post=349260:date=Feb 25 2006, 03:03 AM:name=wickning1)--][div class=\'quotetop\']QUOTE(wickning1 @ Feb 25 2006, 03:03 AM) [snapback]349260[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Your MySQL server should only be accepting connections from a very small number of known IPs (or domain names). Additionally, you can firewall the MySQL port and only access the database from the local machine or inside your own network.

If you set it up correctly, you could put your username and password on the evening news and not be worried.

Just watch out for other kinds of attacks that could compromise your web server machine. Insertion attacks, buffer overflows, trojans, etc.
[/quote]

Good points mate but what happens with people who are under shared servers Those who dont have the ability to set up the server themselves?

Share this post


Link to post
Share on other sites
Ask your host about the security situation. If they've given you a database on their mysql server and an account that can access it, you should be able to ask them to limit access so that only your web server has permission to send queries.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.