Jump to content

Security question: Trusting data from the database

MmmVomit

By MmmVomit
in Application Design

 Share

Recommended Posts

MmmVomit Newbie

MmmVomit

Posted
Posted

Any data retrieved from an outside source should always be suspect, but what about a data retrieved from your own database?

 

I'm writing the profile page for my website, and I need to display the username and email address.  These were filtered before being put into the database.  The username was checked for length and invalid characters.  The email address was checked against a regex for email addresses.  Do you think it's necessary to re-filter this data, before using it?  If so, how rigorous should I be?

 

Of course, I will escape everything before output (htmlentities(), mysql_real_escape_string(), etc.)

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted
Do you think it's necessary to re-filter this data, before using it?  If so, how rigorous should I be?

 

Of course, I will escape everything before output (htmlentities(), mysql_real_escape_string(), etc.)

 

Why would you need to? If the data was checked when it was entered it still will be fine. Also, there isn't ever a need to escape data when retrieving from the database. You need only escape data when using it within queries.

Link to comment
Share on other sites
MmmVomit Newbie

MmmVomit

Posted
  • Author
Posted

Do you think it's necessary to re-filter this data, before using it?  If so, how rigorous should I be?

 

Of course, I will escape everything before output (htmlentities(), mysql_real_escape_string(), etc.)

 

Why would you need to? If the data was checked when it was entered it still will be fine.

In theory, there could be multiple parts of the application that update the same information.  I would need to be sure that all of these inputs to the database are filtered correctly to then trust data retrieved from the database.  Also, if somone were to somehow circumvent my filters, say, by gaining direct access to the database, then there would be no controls on this data at all.  Unlikely, yes, but not to be dismissed out of hand.

 

I'm thinking I should just run the username and email addresses through their respective regexes, and if those pass, trust them.

 

Also, there isn't ever a need to escape data when retrieving from the database. You need only escape data when using it within queries.

Right.  I was saying that I would escape any data retrieved from the database before using it as output.  For example, if I retrieve an email address from the database, I'll run it through htmlentities() before displaying it on the screen, or through mysql_real_escape_string() before using it in another query.

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted

If you're checking it as it goes in, then theoretically you shouldn't have to check it as it comes out.  If your database were directly compromised, as in someone were able to connect to it and insert whatever they wanted, then if you don't filter the data as it comes out it will affect your users.  To what extent it harms them depends on what is placed in the database.

 

I still wouldn't filter data as it came back out in most applications though.  If you know for a fact that your code filters everything that goes in and somehow Javascript is coming back out, that's a pretty clear sign that something somewhere is insecure.  Had you again filtered the output you would never know someone had direct access to your database.

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted
In theory, there could be multiple parts of the application that update the same information.  I would need to be sure that all of these inputs to the database are filtered correctly to then trust data retrieved from the database.

 

This is where a standardized set of update and insert functions comes in handy.  Write the code once and then call it from anywhere.

Link to comment
Share on other sites
MmmVomit Newbie

MmmVomit

Posted
  • Author
Posted
I still wouldn't filter data as it came back out in most applications though.  If you know for a fact that your code filters everything that goes in and somehow Javascript is coming back out, that's a pretty clear sign that something somewhere is insecure.  Had you again filtered the output you would never know someone had direct access to your database.

 

Not true.  If a piece of data retrieved from the database does not pass the filter, I can throw up some sort of flag to let me know.  I'm just trying to decide how paranoid I should be.

 

For example:

 

// get data from database

if(filter($data_from_database))
{
 // use data
}
else
{
 // log an error, or trigger some other mechanism to notify admin
}

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.