DB To XML > Any security concerns???

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

DB To XML > Any security concerns???

Post by kkonline »

I am using the following code to extract data from database and convert it to xml format. I am concerned if anything extra which i would be required to do before displaying the data. Any security issues with the code? Because to input data to db we use sql/xss prevention so is there anything similar or different that must be done to prevent any kind of attack.

Code: Select all

<?php
$hostname_conn = "localhost";
$database_conn = "mysql";
$username_conn = "root";
$password_conn = "";
$conn = mysql_pconnect($hostname_conn, $username_conn, $password_conn) or trigger_error(mysql_error(),E_USER_ERROR); 
?><?php

mysql_select_db($database_conn, $conn);
[b]$query_rsAll = "SELECT * FROM phpnews_news";[/b]
$rsAll = mysql_query($query_rsAll, $conn) or die(mysql_error());
$row_rsAll = mysql_fetch_assoc($rsAll);
$totalRows_rsAll = mysql_num_rows($rsAll);


header('Content-type: text/xml');
header('Pragma: public');        
header('Cache-control: private');
header('Expires: -1');
?><?php echo('<?xml version="1.0" encoding="utf-8"?>'); ?><root><?php if ($totalRows_rsAll > 0) { ?><?php do { ?><row><?php foreach ($row_rsAll as $column=>$value) { ?> <<?php echo $column; ?>><![CDATA[<?php echo $row_rsAll[$column]; ?>]]></<?php echo $column; ?>> <?php } ?></row><?php } while ($row_rsAll = mysql_fetch_assoc($rsAll)); ?><?php } ?></root><?php
mysql_free_result($rsAll);
?>
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Why do you use a persistent connection? And why do you have so many php tags? It's hard to read, and pretty unnecessary.
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Post by kkonline »

superdezign wrote:Why do you use a persistent connection? And why do you have so many php tags? It's hard to read, and pretty unnecessary.
What do you mean by having a persistent connection please explain??

I guess the php tags are only to get the data and then show in xml format. I got this code from a friend
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

kkonline wrote:What do you mean by having a persistent connection please explain??
mysql_pconnect() creates a persistent connection, but you don't need one. You will end up reconnecting on every page request, and disconnecting after page requests are done.
kkonline wrote:I guess the php tags are only to get the data and then show in xml format. I got this code from a friend
It's disorganized and there are way too many. Any place where there is nothing between the closing tag and opening tag, get rid of it.
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Modified code

Post by kkonline »

You mean i should use mysql_connect() instead of mysql_pconnect in config.php inclusion in which i have the connection setting? the following is the code that i modified, replaced that redundant code with do while and foreach, works fine.

config.php

Code: Select all

<?php
$hostname_conn = "localhost";
$database_conn = "sql";
$username_conn = "root";
$password_conn = "pass";
$conn = mysql_connect($hostname_conn, $username_conn, $password_conn) or trigger_error(mysql_error(),E_USER_ERROR);
I have modified the code as below.

Code: Select all

<?php

include 'config.php';

 $query_rsAll = "SELECT `maintext` FROM `phpnews_news";
$rsAll = mysql_query($query_rsAll, $conn) or die(mysql_error());

$row_rsAll = mysql_fetch_assoc($rsAll);

$totalRows_rsAll = mysql_num_rows($rsAll);



header('Content-type: text/xml');

header('Pragma: public');

header('Cache-control: private');

header('Expires: -1');



echo '<?xml version="1.0" encoding="utf-8"?><root>' ;

if ($totalRows_rsAll > 0) {
do{
     echo '<row>';

     foreach ($row_rsAll as $column=>$value) {
	
$row_rsAll[$column]=htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');

          echo "<$column><![CDATA[" . $row_rsAll[$column] . "]]></$column>"; 

          // note the period . will join strings together.

     }

     echo "</row>";

}

while ($row_rsAll = mysql_fetch_assoc($rsAll)); 
}
echo '</root>';

mysql_free_result($rsAll); 
?>

Now is the code ok?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

I'd use a while instead of a do...while and an if together.
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Post by kkonline »

I am working with article manager and don't want & , ; % - ' " to be misprinted also the data should be free from xss attacks as much as possible.

I am extracting data from db and then converting it into XML.

I use

Code: Select all

$row_rsAll[$column]=htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');
in the xml conversion code. Is that fine or should i use htmlspecialchars

My aim is to secure against xss and also the xml data when printed (when article is printed on browser it should not have &at; " &amp)

Or should i use xss specific code written at http://svn.bitflux.ch/repos/public/popo ... linput.php
and apply it to$row_rsAll
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Why do you keep on bringing up XSS? You are dealing with a database.
Post Reply