PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Oct 17, 2019 6:37 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Fri Oct 14, 2011 2:53 pm 
Offline
Forum Newbie

Joined: Sat Jun 11, 2011 10:45 pm
Posts: 11
Hi,
I'm new to this forum and I have a question.
I have written my class on top of PDO and uses PDOStatement (prepare/execute). Now what I'm asking is, what else to do, as far as database is concerned, to make my database very secure (assuming all other attacks in an app like XSS have been mitigated). Should I add escaping of strings before preparing it?
Thanks :D


Top
 Profile  
 
PostPosted: Fri Oct 14, 2011 6:32 pm 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Not having to escape data when using prepared statements is one of their major selling points. What you can do from now on for your DB security is never to use variables in the strings you prepare, you should only pass data in bind/execute.


Top
 Profile  
 
PostPosted: Sat Oct 15, 2011 8:17 am 
Offline
Forum Newbie

Joined: Sat Jun 11, 2011 10:45 pm
Posts: 11


Top
 Profile  
 
PostPosted: Sat Oct 15, 2011 9:28 am 
Offline
Forum Newbie

Joined: Sat Jun 11, 2011 10:45 pm
Posts: 11


Top
 Profile  
 
PostPosted: Mon Oct 17, 2011 7:08 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria


Top
 Profile  
 
PostPosted: Mon Oct 17, 2011 9:30 am 
Offline
Forum Newbie

Joined: Sat Jun 11, 2011 10:45 pm
Posts: 11


Top
 Profile  
 
PostPosted: Mon Oct 17, 2011 9:38 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
The most common situation in which you can have a vulnerable PDO code is when you want to have a sortable query, with the sort parameters given by the user.
Since you can't bind the column name to sort on, you need to include it dynamically in the query, and you need to take care to check if this is indeed a valid column, etc.


Top
 Profile  
 
PostPosted: Mon Oct 17, 2011 10:08 am 
Offline
Forum Newbie

Joined: Sat Jun 11, 2011 10:45 pm
Posts: 11


Top
 Profile  
 
PostPosted: Mon Oct 17, 2011 10:10 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
$id_col[0]?


Top
 Profile  
 
PostPosted: Mon Oct 17, 2011 10:35 am 
Offline
Forum Newbie

Joined: Sat Jun 11, 2011 10:45 pm
Posts: 11


Top
 Profile  
 
PostPosted: Mon Oct 17, 2011 11:12 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
The correct way to handle user input as column names is to check agains a whitelist.


Top
 Profile  
 
PostPosted: Mon Oct 17, 2011 11:25 am 
Offline
Forum Newbie

Joined: Sat Jun 11, 2011 10:45 pm
Posts: 11


Top
 Profile  
 
PostPosted: Mon Oct 17, 2011 4:33 pm 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
whitelist = a list (array) of possible permitted values.
Everything not in the whitelist is considered evil.


Top
 Profile  
 
PostPosted: Sat Oct 22, 2011 8:16 am 
Offline
Forum Newbie

Joined: Sat Jun 11, 2011 10:45 pm
Posts: 11


Top
 Profile  
 
PostPosted: Sat Oct 22, 2011 12:59 pm 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
You can just hardcode them in your PHP source.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group