Database security - PHP code

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have been reading a little that you should secure your PHP code to
prevent SQL injection into a database (MySQL in my instance), mainly by
checking the type of data to be put into a database, and if text, to
addslashes() the data.

What I have not managed to find out, is does SQL injection threaten the
input of data into a database, ie a guestbook, or the reading of a database
where the user would not know if the data is being read from a database?

Is there anything else to consider to make a database more secure?

In particular, I have read here a few months back that it's a good idea to
keep the username / password of the connection outside the root of the
website.  How would I access the password file then?  What I mean is, if I
want a certain file in my site I could access it by writing:

But as it would now be outsite the root, how would I be able to get to the
password.php file?

I have also read a bit that you can assign privelages (similar I guess to
rwe for a directory / file) but to the database access, but can't find
anything about it.  Is there a good (beginners) guide to privelages?

Any just incase, I did RTFM, but there are many versions which make it
confusing on who is right.



Re: Database security - PHP code (Dariusz) wrote:

Quoted text here. Click to load it

You've done your homework, don't worry.  There was a discussion
_somewhere_ (here or another group) about securing php in a shared
server (like a webhosting ISP) and this URL was posted:

It had some great ideas, notably a method of removing the database
passwords from a file that can be read by the Apache web server.  php
code must be readable by Apache (and the developer), so that means
protecting the files via group permissions or running php with suExec as
a process with CGIwrap ( /), which is what
I do for Perl CGI scripts.

There was also a link in Chris' article on permissions.

Read and enjoy.

DeeDee, don't press that button!  DeeDee!  NO!  Dee...

Re: Database security - PHP code

Quoted text here. Click to load it

Similar to what I have been saying for years - around 2001, before the
PHP Cookbook was published. I wonder if my comments inspired the
solution provided in the PHPCB - if so, I wonder if I got my name in a
book? :-D

Justin Koivisto -

Re: Database security - PHP code


Quoted text here. Click to load it


Not directly, but the problem is more complex.

An example: It could be possible for an attacker to insert SQL-code into
the database. The application escapes all quotes, so it does no harm on
input. But even if the code made it "defused" into the database doesn't
mean the problem is solved. The injected code could still start its
malicious work when the application fetches the data from the db and
uses it again in another query. Usually no one escapes data obtained
from the db, because it's considered "safe" ...

Quoted text here. Click to load it

Even if the data is already in the system, it should _not_ be used
directly in other querys without validating/escaping it again.

And some SQL servers are vulnerable to a lot more and different variants
of SQL injection (Google for "advanced SQL injection").

Quoted text here. Click to load it

Why would you want a password be accessible with HTTP?

Quoted text here. Click to load it

PHP is able to access files directly through the filesystem.


Site Timeline