PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sat Oct 19, 2019 10:57 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: security issue
PostPosted: Sat May 12, 2012 4:54 am 
Offline
Forum Newbie

Joined: Sat May 12, 2012 4:40 am
Posts: 3
what are all the security issues in php and mysql and how are they stopped?


Top
 Profile  
 
 Post subject: Re: security issue
PostPosted: Sun May 13, 2012 9:47 pm 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
Most of the security issues in PHP / mySQL are due to poor programming practices.

See the first thread in this section (Security) for links to a lot of info.

Mainly though the #1 issue is NEVER TRUST data the visitor of the site can manipulate, here is a basic list:

Anything in $_POST (or older config variants like $HTTP_POST_VARS, same for others below)
Anything in $_GET
Anything in $_COOKIE
Certain items in $_SERVER such as:
-- $_SERVER['HTTP_USER_AGENT']
-- $_SERVER['HTTP_REFERRER']
-- $_SERVER['PHP_SELF']

Note, depending on server settings there can be other issues too.

For any item the user can manipulate, I recommend the following:

When using for sending to a database query, either use PDO for data handling, or if using the mysql* functions, be sure to use mysql_real_escape_string($var) (not just addslashes() )

When going to use that data for display on a web page, including being part of a value="" attribute, use htmlspecialchars($var,ENT_QUOTES)

When going to use it a link as part of a URL, use urlencode($var)

Also, best to validate anything you are going to use, and my preference make sure you initialize ANY variable that will be used. (this is especially important on a script running on a system that auto creates variables based off of the POST/GET values)

Lastly, never let data from a user set values for things such as filenames to read/write or e-mail addresses to send to.

-Greg


Top
 Profile  
 
 Post subject: Re: security issue
PostPosted: Sat Oct 13, 2012 10:22 am 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
If someone is changing your database, it could be that they have a script installed on your server, in which case, changing passwords won't do one bit of good, as anything the site can access, so will the script.

If it is in fact payment information that is being altered, then you really need to make that a top priority and get someone to fix it. I'm not sure how things are in the country you are in, however here, being the cause of identify and even worse payment information leaks can be very costly. (not to mention, if the public finds out about it, you are going to find sales will drop off big time!)

On the plus side, if you are consistently seeing this happen, while it sucks it is happening, you have the benefit of putting monitoring and tracking in place to catch them.

Then there is an issue that it could just be a problem with programming if something was changed recently. I once made a mistake (back before I used to set up seprate dev/live environments 10 years ago) that ended up in code doing an update to a table missing the condition to limit it to one row. (This is why I do a DB backup before pushing any change like that live)

If I am understanding you correctly that this is an issue with payment information, then this is really something that you need to take the hit (pay the money) and get someone in there ASAP to get this cleaned up. Nothing worse for ecom business than for customers to hear their payment information is not safe with you. Not to mention what legal liability you would have for being the cause of the leak.

Sorry this wasn't a "heres what to check", however there are just to many variables to things (on top of possible misunderstandings from language barrier here) About the best I can say is that until you get it figures out, enable the most logging you can on the site, and don't let them rotate out until you get it figured out. I have spent hours before going through system log files to track down hacks before, at one point having to change PHP.ini to prepend my logging script before any script called on the server, so I had a log of all POST data being sent into the server. Man does that eat up disk space, but within 24 hours of the next attack, had it figured out.

Good luck on this.

-Greg


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group