Jump to content

The truth about mySQL security


fusionpixel

Recommended Posts

So I finished a small application that I am using on my computer only to avoid any problems on the net in regards to security.

Since there is no easy way to ask a question like “What is the best way to create a secure application” I decided to send the question out there and ask to what everyone thinks or believes is a secure way to create their applications.

I have been working with PHP/mySQL as user not much as developer for the past years but now trying to learn more about the developer side, I have hit a wall once I have faced Security.

For a while I was certain that putting my sql connection in a PHP file it was ok, this believe was even stronger while using different applications out there that place their connections logarithms inside folders named as simple as “connections”, and if we want to examine this theory further if you create a Database Connection in Dreamweaver the application itself will create a folder titled “Connections” and inside that folder it will write the scripts necessary to connect to your DataBase.

With all this in mind I ran into a basic tutorial that highlighted the importance of having your connections secure and one recommendation was to place your connections script (or PHP file) under a password protected directory. This would be an overkill IMHO and not only that but securing a password with another password?

Comments?

<? moved from misc ?>
Link to comment
Share on other sites

Please do not generate code in Dreamweaver. I've had to clean up other people's messes many times...and I so loathe cleaning up DW generated code. ugly as hell. And not always the most logical approaches in coding. No self-respecting person can create a serious project using DW. [img src=\"http://forum.mamboserver.com/images/smilie/icon_razz.gif\" border=\"0\" alt=\"IPB Image\" /]

Anyway, my comment....there is no such thing as "too secure". This of course depends on what your project is. If you are creating a site that will be storing critical personal information....you want to take every measure possible to make it more dificult to access said info.

Link to comment
Share on other sites

I use PHP Designer or Zend for my PHP projects, and if I must use Dreamweaver I use it in Code view :P. I was just making reference on how DW behaves on reference to DB connections.

So... I know there is different ways of handling security and the ones pointed above were some that I have seen first hand. What would you say its your best secure wayt to handle DB connections?

L)
Link to comment
Share on other sites

Well, for starters, I always make sure the connection can only be made internally

Example:

in my db connection file, I always add an extra if statement:

[code]if ($_SERVER['SERVER_NAME'] == "www.thisdomain.com")

{

@mysql_connect ('localhost', 'username', 'password') or die('<b>Connection Failed</b>');

mysql_select_db(dbname) or die('<b>Database Connection Failed</b>');

$dbnam = "dbname";

$var = @mysql_connect('localhost', 'username', 'password') or die(Failed);

}

else

{

die ("Die!!!!!!");

}

[/code]

I also try to avoid using folders with obvious names like "connections". Maybe a slight variation, like "cons" or such. I also track IP's and ISP's in my login scripts. ...I use a number of things I guess.
Link to comment
Share on other sites

Your MySQL server should only be accepting connections from a very small number of known IPs (or domain names). Additionally, you can firewall the MySQL port and only access the database from the local machine or inside your own network.

If you set it up correctly, you could put your username and password on the evening news and not be worried.

Just watch out for other kinds of attacks that could compromise your web server machine. Insertion attacks, buffer overflows, trojans, etc.
Link to comment
Share on other sites

Validatation.
Any bit of data which a user could potentially fiddle with (don't forget hidden form fields etc as well, just because they can't be seen, it doesn't mean they can't be played with), so essentially and GET or POST data should be heavily validated. If it should just be an integer, then validate it as such. Kill the script if anything else gets in there. If the input is text, then addslashes, strip HTML... Whatver. Just make sure nothing can be entered that you don't want in there!
Link to comment
Share on other sites

[!--quoteo(post=349260:date=Feb 25 2006, 03:03 AM:name=wickning1)--][div class=\'quotetop\']QUOTE(wickning1 @ Feb 25 2006, 03:03 AM) [snapback]349260[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Your MySQL server should only be accepting connections from a very small number of known IPs (or domain names). Additionally, you can firewall the MySQL port and only access the database from the local machine or inside your own network.

If you set it up correctly, you could put your username and password on the evening news and not be worried.

Just watch out for other kinds of attacks that could compromise your web server machine. Insertion attacks, buffer overflows, trojans, etc.
[/quote]

Good points mate but what happens with people who are under shared servers Those who dont have the ability to set up the server themselves?
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.