database and application security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
ddragas
Forum Contributor
Posts: 445
Joined: Sun Apr 18, 2004 4:01 pm

database and application security

Post by ddragas »

Hi all

I need advice on securing database.

Database is strictly confidential, and lot of users are going to use application (php & mysql). What can I do to make db secure, and prevent user attacks on application & db.

Current situation is: connection to database (file conn.php) is in folder /public_html/admin/. Should I remove it outside /public_html/ ?

Authorization code (login) is :

Code: Select all

if(isset($_POST['prihvati']))
{

if(isset($_SESSION['some_user']))
	{
		$some_user = $_SESSION['some_user'] ;
	}


if((isset($_POST['username'])) and (isset($_POST['pass'])))
	{
		$kor_ime = $_POST['some_user'];
		$loz = $_POST['pass'];
		$lozinka = md5($loz);

		include("../admin/con_db.php");
		
		
		$sel = "SELECT * FROM users where email = '$kor_ime' and lozinka_md5 = '$lozinka'"; 
		$quer = mysql_query($sel); 
		$row = mysql_fetch_array($quer); 
		$some_user = $_SESSION['some_user'] = $row["id"];
		$Ime =  utf8_decode(stripslashes($row["ime"]));
		$Prezime = utf8_decode(stripslashes($row["prezime"]));
		

	}		

if(isset($some_user))
	{
		include("../admin/conn.php");
		
		
		$sel = "SELECT * FROM users where id='$some_user'"; 
		$quer = mysql_query($sel); 
		$row = mysql_fetch_array($quer); 
		$some_user = $_SESSION['some_user'] = $row["id"];
		$Ime =  utf8_decode(stripslashes($row["ime"]));
		$Prezime = utf8_decode(stripslashes($row["prezime"]));
		

	}

if(empty($some_user))
	{
		echo "<br>";
		echo "error in autorisation."; 
		echo "<br>";
		session_destroy();
	}
		else
	{
		
		echo "WELCOME " . $Ime . " " . $Prezime;
		echo "<br>\n" . "<br>\n" . "Wait a minute ..........";
		echo "<meta http-equiv=\"refresh\" content=\"1;URL='main.php'\">\n";
	}
	
}

What should be changed in login code to improve security and authorization and access to database and data in database?

Any advice is welcome

regards ddragas
Last edited by ddragas on Thu Feb 01, 2007 1:23 pm, edited 1 time in total.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

A start might be using mysql_real_escape_string() in your queries. Another thing is validating the input. So if you expect $_POST['username'] to be only alpha numeric characters, validate it for that. Same goes for $_POST['pass']
User avatar
ddragas
Forum Contributor
Posts: 445
Joined: Sun Apr 18, 2004 4:01 pm

Post by ddragas »

thank you for reply.

What about file that is a connection to db?

Should I remove it from public_html folder?



One more thing ....

should mysql_real_escape_string be used on every query or just login query?

and would it help using addslashes()
Last edited by ddragas on Thu Feb 01, 2007 12:37 pm, edited 1 time in total.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

Yes to both your questions...

Move connection credentials outside of document root...

Use mysql_real.....() on EACH AND EVERY query where untrusted (read: user) input is used int the query...
User avatar
ddragas
Forum Contributor
Posts: 445
Joined: Sun Apr 18, 2004 4:01 pm

Post by ddragas »

I've made function for filtering $_POST or $_GET data

Code: Select all

function filter($string)
	{
		$forbiden=array("SELECT", "DELETE", "UPDATE", " or ", " OR ", "select", "delete", "update", "{", "}", "[", "]", "(", ")", "&", "#", "$", "!", "=", "%");
		$change = "";
		$filtered  = str_replace($forbiden, $change, $string);
		return $filtered;
	}


//Usage
$username = filter($_POST['username']);
does this filtering effect on security ?

If it does what characters could be added into array to be filtered?
Post Reply