Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
ddragas
Forum Contributor
Posts: 445 Joined: Sun Apr 18, 2004 4:01 pm
Post
by ddragas » Thu Feb 01, 2007 11:33 am
Hi all
I need advice on securing database.
Database is strictly confidential, and lot of users are going to use application (php & mysql). What can I do to make db secure, and prevent user attacks on application & db.
Current situation is: connection to database (file conn.php) is in folder /public_html/admin/. Should I remove it outside /public_html/ ?
Authorization code (login) is :
Code: Select all
if(isset($_POST['prihvati']))
{
if(isset($_SESSION['some_user']))
{
$some_user = $_SESSION['some_user'] ;
}
if((isset($_POST['username'])) and (isset($_POST['pass'])))
{
$kor_ime = $_POST['some_user'];
$loz = $_POST['pass'];
$lozinka = md5($loz);
include("../admin/con_db.php");
$sel = "SELECT * FROM users where email = '$kor_ime' and lozinka_md5 = '$lozinka'";
$quer = mysql_query($sel);
$row = mysql_fetch_array($quer);
$some_user = $_SESSION['some_user'] = $row["id"];
$Ime = utf8_decode(stripslashes($row["ime"]));
$Prezime = utf8_decode(stripslashes($row["prezime"]));
}
if(isset($some_user))
{
include("../admin/conn.php");
$sel = "SELECT * FROM users where id='$some_user'";
$quer = mysql_query($sel);
$row = mysql_fetch_array($quer);
$some_user = $_SESSION['some_user'] = $row["id"];
$Ime = utf8_decode(stripslashes($row["ime"]));
$Prezime = utf8_decode(stripslashes($row["prezime"]));
}
if(empty($some_user))
{
echo "<br>";
echo "error in autorisation.";
echo "<br>";
session_destroy();
}
else
{
echo "WELCOME " . $Ime . " " . $Prezime;
echo "<br>\n" . "<br>\n" . "Wait a minute ..........";
echo "<meta http-equiv=\"refresh\" content=\"1;URL='main.php'\">\n";
}
}
What should be changed in login code to improve security and authorization and access to database and data in database?
Any advice is welcome
regards ddragas
Last edited by
ddragas on Thu Feb 01, 2007 1:23 pm, edited 1 time in total.
matthijs
DevNet Master
Posts: 3360 Joined: Thu Oct 06, 2005 3:57 pm
Post
by matthijs » Thu Feb 01, 2007 12:17 pm
A start might be using mysql_real_escape_string() in your queries. Another thing is validating the input. So if you expect $_POST['username'] to be only alpha numeric characters, validate it for that. Same goes for $_POST['pass']
ddragas
Forum Contributor
Posts: 445 Joined: Sun Apr 18, 2004 4:01 pm
Post
by ddragas » Thu Feb 01, 2007 12:25 pm
thank you for reply.
What about file that is a connection to db?
Should I remove it from public_html folder?
One more thing ....
should mysql_real_escape_string be used on every query or just login query?
and would it help using addslashes()
Last edited by
ddragas on Thu Feb 01, 2007 12:37 pm, edited 1 time in total.
nickvd
DevNet Resident
Posts: 1027 Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:
Post
by nickvd » Thu Feb 01, 2007 12:36 pm
Yes to both your questions...
Move connection credentials outside of document root...
Use mysql_real.....() on EACH AND EVERY query where untrusted (read: user) input is used int the query...
ddragas
Forum Contributor
Posts: 445 Joined: Sun Apr 18, 2004 4:01 pm
Post
by ddragas » Thu Feb 01, 2007 12:58 pm
I've made function for filtering $_POST or $_GET data
Code: Select all
function filter($string)
{
$forbiden=array("SELECT", "DELETE", "UPDATE", " or ", " OR ", "select", "delete", "update", "{", "}", "[", "]", "(", ")", "&", "#", "$", "!", "=", "%");
$change = "";
$filtered = str_replace($forbiden, $change, $string);
return $filtered;
}
//Usage
$username = filter($_POST['username']);
does this filtering effect on security ?
If it does what characters could be added into array to be filtered?