Page 1 of 1

database and application security

Posted: Thu Feb 01, 2007 11:33 am
by ddragas
Hi all

I need advice on securing database.

Database is strictly confidential, and lot of users are going to use application (php & mysql). What can I do to make db secure, and prevent user attacks on application & db.

Current situation is: connection to database (file conn.php) is in folder /public_html/admin/. Should I remove it outside /public_html/ ?

Authorization code (login) is :

Code: Select all

if(isset($_POST['prihvati']))
{

if(isset($_SESSION['some_user']))
	{
		$some_user = $_SESSION['some_user'] ;
	}


if((isset($_POST['username'])) and (isset($_POST['pass'])))
	{
		$kor_ime = $_POST['some_user'];
		$loz = $_POST['pass'];
		$lozinka = md5($loz);

		include("../admin/con_db.php");
		
		
		$sel = "SELECT * FROM users where email = '$kor_ime' and lozinka_md5 = '$lozinka'"; 
		$quer = mysql_query($sel); 
		$row = mysql_fetch_array($quer); 
		$some_user = $_SESSION['some_user'] = $row["id"];
		$Ime =  utf8_decode(stripslashes($row["ime"]));
		$Prezime = utf8_decode(stripslashes($row["prezime"]));
		

	}		

if(isset($some_user))
	{
		include("../admin/conn.php");
		
		
		$sel = "SELECT * FROM users where id='$some_user'"; 
		$quer = mysql_query($sel); 
		$row = mysql_fetch_array($quer); 
		$some_user = $_SESSION['some_user'] = $row["id"];
		$Ime =  utf8_decode(stripslashes($row["ime"]));
		$Prezime = utf8_decode(stripslashes($row["prezime"]));
		

	}

if(empty($some_user))
	{
		echo "<br>";
		echo "error in autorisation."; 
		echo "<br>";
		session_destroy();
	}
		else
	{
		
		echo "WELCOME " . $Ime . " " . $Prezime;
		echo "<br>\n" . "<br>\n" . "Wait a minute ..........";
		echo "<meta http-equiv=\"refresh\" content=\"1;URL='main.php'\">\n";
	}
	
}

What should be changed in login code to improve security and authorization and access to database and data in database?

Any advice is welcome

regards ddragas

Posted: Thu Feb 01, 2007 12:17 pm
by matthijs
A start might be using mysql_real_escape_string() in your queries. Another thing is validating the input. So if you expect $_POST['username'] to be only alpha numeric characters, validate it for that. Same goes for $_POST['pass']

Posted: Thu Feb 01, 2007 12:25 pm
by ddragas
thank you for reply.

What about file that is a connection to db?

Should I remove it from public_html folder?



One more thing ....

should mysql_real_escape_string be used on every query or just login query?

and would it help using addslashes()

Posted: Thu Feb 01, 2007 12:36 pm
by nickvd
Yes to both your questions...

Move connection credentials outside of document root...

Use mysql_real.....() on EACH AND EVERY query where untrusted (read: user) input is used int the query...

Posted: Thu Feb 01, 2007 12:58 pm
by ddragas
I've made function for filtering $_POST or $_GET data

Code: Select all

function filter($string)
	{
		$forbiden=array("SELECT", "DELETE", "UPDATE", " or ", " OR ", "select", "delete", "update", "{", "}", "[", "]", "(", ")", "&", "#", "$", "!", "=", "%");
		$change = "";
		$filtered  = str_replace($forbiden, $change, $string);
		return $filtered;
	}


//Usage
$username = filter($_POST['username']);
does this filtering effect on security ?

If it does what characters could be added into array to be filtered?