Jump to content

Database/Robot Protection

The Little Guy

By The Little Guy
in Miscellaneous

 Share

Recommended Posts

The Little Guy Prolific Member

The Little Guy

Posted
Posted

OK... If anyone (beginners, intermediate, pro) web masters want ways to help with security... here are some simple steps to follow:

 

Database:

1. Create 2 database users... One user will be a administrative user, and the other will be a dummy user. The admin user will be for you to add, delete, and modify tables. Your dummy will be how your php connects to your database, this user will have limited access to the database. It will only be able insert rows, delete rows, and modify rows.

 

2. Create your PHP with care, add functions that will help protect you from SQL injection. There are a few functions that can do this, one would be the addslashes() function. You then would use stripslashes() to remove the slashes from the the text when they are printed out onto the screen.

 

3. For every user input, if the database field requires only words, use the function is_string, if the database requires a numeric value, use the function is_string. These would be a good way to help insure the right data type is inserted into the database.

 

An example

<?php
$myVar1 = addslashes(1);
$myVar2 = addslashes('I am text');
if(is_is_numeric($myVar1)){  // This returns TRUE
mysql_query("INSERT INTO table (`myValue`) VALUES ('$myVar1')");
}else{
echo "This isn't a numeric value";
}
if(is_is_numeric($myVar1)){  // This returns FALSE
mysql_query("INSERT INTO table (`myValue`) VALUES ('$myVar1')");
}else{
echo "This isn't a numeric value";
}
?>

 

There is a huge list of these data types, so search for them on php.net

 

4. This may be a little more advanced, but make some sort of robot check like a image CAPTCHA, this will help stop against multiple attacks on your site. Here is a link to a very very simple CAPTCHA. Otherwise, if you don't want to use a CAPTCHA, use check against user IP addresses, and allow them to only post something ever once in a while.

 

Here would be an example of doing this:

<?php
session_start();
include"db.php"; # Link to your database connections
$active_sessions = 0;
$ip = $_SERVER['REMOTE_ADDR'];
$minutes = 60; # minutes till next allowed post
if($sid = session_id()) # if there is an active session
{
    # DB connect here
    # Delete users from the table if time is greater than $minutes
    mysql_query("DELETE FROM `active_sessions` WHERE `date` < DATE_SUB(NOW(),INTERVAL $minutes MINUTE)")or die(mysql_error()); 
    
    # Check to see if the current ip is in the table
    $sql = mysql_query("SELECT * FROM active_sessions WHERE ip='$ip'");
    $row = mysql_fetch_array($sql);
    # If the ip isn't in the table add it.
    if(!$row){
    $myPost = addslashes($_POST['myPost']);
    # Insert the user info into one table
        mysql_query("INSERT INTO `active_sessions` (`ip`, `session`, `date`) VALUES ('$ip', '$sid', NOW()) ON DUPLICATE KEY UPDATE `date` = NOW()")or die(mysql_error());
        # Insert the user post into another table
        mysql_query("INSERT INTO `table` (`myComment`) VALUES ('$myPost')")or die(mysql_error());
    }else{
	echo 'You must wait to post again';    
}
}
# Return the user to the comments page.
header("Location: /commentPage.php");
exit;
?>

 

5. If you have any files that you wish to be required to be loaded through another file, just make a main file, that is included on all the root pages, such as your index, contact form, users page, upload files page, etc. make a a variable in that main file that will always return TRUE. On your sub page, all you need to do is check if that variable is set, or equals TRUE. It is very simple to do. A file that is usually included on all page is a functions file, which contains all your functions, so we will place our variable in that file.

 

functions.php

<?php
$pageLoaded = TRUE;
// All of your functions following...
?>

 

myInclude.php

<?php
# DO NOT INCLUDE functions.php
if(!$pageLoaded){ #if this page was loaded by its self, then $pageLoaded wasn't loaded
header("Location: http://mysite.com"); # Return to root page
exit;
}
// Following of the rest of the include...
?>

 

index.php

<?php
include 'functions.php'; #load the page containing our variable
include 'myInclude.php'; #load the page containing our included page.
// The rest of the index page...
?>

 

6. If you are using a GET method, try to insert bad values, if you get bad results, then there is a hole you need to fix up, fix the hole, then try some more bad values, keep doing this till you have fixed all the holes you can think of. If you need any GET values, in order for the page to load correctly, make sure you check that they are set by using the isset function if it isn't set, you should let the user know. so... if you have a URL looking like this: http://mysite.com/mypage.php?id=12345&imageid=12345, then you should check to make sure that the id, and imagid are both set.

<?php
if(!isset($_GET['id']) || !isset($_GET['imageid'])){
echo 'Invalid URL';
}
?>

 

You then probably, if they are both set, make sure that they are valid values, invalid values will not return a proper value or result, and may cause problems.

Link to comment
Share on other sites
  • 2 weeks later...
The Little Guy Prolific Member

The Little Guy

Posted
  • Author
Posted

5.  If you don't want a file to be loaded without going through another file, put it in a non-web-accessible directory.

 

I would agree with you there on that one... I never thought about that.

 

If you have anything you agree/disagree with me on, please say so.. thanks much.. I would really like to hear.

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted

Let's say you don't want the file db_details.php to execute unless entry.php has been included or ran.  The typical solution most people use is some thing like:

 

entry.php

<?php
  define( 'ENTRY_POINT', true );

  // Rest of file follows...

 

db_details.php

<?php
  if(!defined('ENTRY_POINT')){
    exit();
  }

  // Rest of file follows...
?>

 

This prevents someone from trying to access db_details.php directly through something like:

http://www.yourdomain.com/hidden/path/db_details.php

 

This method has the drawback that you have to add code at the top of every single file to prevent it from being accessed.

 

The path hidden/path would have to exist somewhere inside of your public_html or www directory for this to work though.  If instead you have a directory structure like the following:

  /home/usr/hidden/path/db_details.php
  /home/usr/public_html/index.php

 

Now that the path to db_details.php is no longer web accessible, you prevent direct access to it without having to add extra code at the top of all your files.

 

index.php can still access the file though:

<?php
  // index.php
  include(dirname(dirname(__FILE__)) . "hidden/path/db_details.php");
?>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.