Jump to content

Securing php mysql scripts

chrischen

By chrischen
in PHP Coding Help

 Share

Recommended Posts

monkeytooth Advanced Member

monkeytooth

Posted
Posted

Theres always a risk, but on the flip side of that theres always a work around to help prevent such risks.. the easiest of them is give high priority files like that a unique name consisting of numbers and letters and make it about 12+ characters long.. then pending on the level of access you have over your server.. you could always restrict access to the file. Also use unique database table names, row names, etc.. Also make the file Read Only, if you are able to use htaccess, you could also make it so that file is only usable via your domain name, as well as use it to redirect someone one tempts to access the file by itself. Theres a million and one ways to hack a site and a million and one ways to prevent it figuratively speaking.. But for your common would be hacker.. Just the basics and a little extra are what you need to worry about.

 

Also Remember Sanitize your Database inputs when working with forms of any kind.. be a simple user login or complex form entry. I have found thus far that being unique with naming high risk files.. and unique in naming high risk areas of my database's are always an excellent detourant..

 

Anyway.. commonly you don't want your connection info hardcoded into any give file minus the connection config file.. one if all your files have it then potential of someone accessing it by managing to download a php file is greater.. 2 if you practice good security by changing passwords every x ammount of days then it makes it easier to update the over all script rather then go file by file..

Sam Granger Member

Sam Granger

Posted
Posted

I don't believe thats a problem :).

 

Try visiting your config file. It will display as plain html - unless its a txt file or whatever, but I assume you have variables in php.

 

I believe the other server would include a blank html file which won't get the person anywhere.  :)

 

And like the poster above said, chmod the file to read only :)

revraz Member

revraz

Posted
Posted

Read only will do what?  Let them read it, so that will just not let them change it.

 

But since all the entries in the file is .php, they can't view it.

 

Also, how would they even know the name of your file and it's folder?

monkeytooth Advanced Member

monkeytooth

Posted
Posted

All valid points.. However I based my input on the general what if factor, it would be a rare thing to pull off.. as they said, also how would they know any of that stuff.. but again What if.. I dunno, maybe im just over paranoid and handle mine the way I do.. but even if not, its worked so far lol..

 

 

chrischen Member

chrischen

Posted
  • Author
Posted

OK so i have an index.php file and inside it's like this:

 

<?php include('/databaseconnection.php'); ... blah blah ?>

 

If someone were to include my index.php from an external server they wouldn't be able to access my database right?

 

Also what is sql injection attacks and cross site scripting?

Sam Granger Member

Sam Granger

Posted
Posted

SQL Injection occurs when you have a variable in your sql query that a user can modify.

 

Before putting user entered info or info you can edit in the url ($_POST, $_GET etc...) save it as a variable and use mysql_real_escape_string to make it sql safe. eg: $username = mysql_real_escape_string($_POST["username"]);

 

Example of sql injection.

 

// user input that uses SQL Injection

$name_bad = $_POST["username"]; // they enter 'OR 1=1

 

//inturn the SQL query below will look like the following

 

$query_bad = "SELECT * FROM members WHERE username = ''OR 1=1";

chrischen Member

chrischen

Posted
  • Author
Posted

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

 

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

 

  switch ($theType) {

    case "text":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;   

    case "long":

    case "int":

      $theValue = ($theValue != "") ? intval($theValue) : "NULL";

      break;

    case "double":

      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

      break;

    case "date":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;

    case "defined":

      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

      break;

  }

  return $theValue;

}

 

So this function that dreamweaver uses would work for that?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.