PHP MySql Security Question

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
mguise
Forum Newbie
Posts: 21
Joined: Mon Mar 21, 2011 1:28 pm

PHP MySql Security Question

Post by mguise »

Hi All

I have been learning PHP and MySql. I have been learning how to fill out a form and use PHP to populate a database on MySql. I have also learned a bit about how to retrieve that information as a CSV for Excel. I am also going to us iFrame Tags to put a form on my clients Facebook page. I have learned enough that I believe I can make this happen. I am ready to take my skills to the next level.

My client's Facebook page is already going viral and he is about to give away some high dollar items. A contest. So his Facebook page is going to explode with traffic. In order to enter the contest we are going to need to retrieve personal info, like name, email, address, etc.

I have security concerns. Since this is my first attempt at this, how secure is PHP and MySQL? If I use a username and password on my server that should be enough to protect personal information, right? I will be responsible for allot of personal information so I don't want to screw this up. Am I over my head?

My second question. I need my client to be able to retrieve that information from the MySql database. I was thinking of creating a page that he can access to retrieve the personal information. But again, there is another security issue. I would probobaly need to password protect it. Is there a better way to do this?

Here is an example of what I am trying to do http://www.facebook.com/Deergear?sk=app_156351054435971


Thanks for your help.
User avatar
Jade
Forum Regular
Posts: 908
Joined: Sun Dec 29, 2002 5:40 pm
Location: VA

Re: PHP MySql Security Question

Post by Jade »

There are three main things you need to look out for as far as security is concerned. XSS injections and SQL injections are the big ones. If you're using mysqli then SQL injections shouldn't be a problem. If you're not then you need to use mysql_real_escape_string() around any input you're taking from the user and putting into the database.

Last but not least is what you can do to secure the data. You need to have strong passwords on all of your logins, especially the database connection, limit who has access to the information, and I would also encrypt your member's passwords using SHA1. Add an SSL certificate to seal the deal.
Post Reply