is this overkill?
Moderator: General Moderators
is this overkill?
With MySQL would it be overkill to have an account that can only select data from the database to be used when ever information is to be extracted from the database for eventual use? Of course there will be another account that will have more privileges so that it can update, create, and delete.
* Reason this is in php security is it is for use within a php driven system.
* Reason this is in php security is it is for use within a php driven system.
It will add another level of security - at DB layer. I would always do this, when I am permitted and able to create more than one user with different privileges on a database. Pity for me these cases are rare because of the llimites in hosting providers plans.
It would make some of the SQL injections attacks useless but you still should take care of security at code level.
It would make some of the SQL injections attacks useless but you still should take care of security at code level.
There are 10 types of people in this world, those who understand binary and those who don't
If your using mysql mysql_query() does not allow multiple queries, so this will be useless, the only query which you might be able to change a select to which would change things would be "SELECT .. FROM .. INTO .. WHERE ...", but the only place where your going to have user input is in the WHERE section.
However If your using Mysqli or PDO, I am unaware if they support multiple queries.
My method for preventing SQL, XSS, etc is:
1. Always use raw input (ignore magic_quotes, etc) -- This means you are in charge of escaping anything
2. Always addslashes() on mysql query strings, or intval() for integers (no where else, as they dont need it)
3. Always use htmlspecialchars() or htmlentities() on output (not on storage, as its not needing to be escaped yet)
4. Always use urlencode() on items passed through a url
5. Any places where needed validate for CSRF (Cross site request forging) - BIGGEST PAIN IN THE ARSE!
5. Always do input validation. -- MOST IMPORTANT
I personally have an input() function which works with the filter functions in PHP, which gets the POST and GET variables and also handles CLI input, which handles validation of email, url, etc. This ensures I only get the values I want, then everything is passed raw to any objects, functions, etc. It is the places which output or store which should be incharge of escaping unsafe characters, not over the whole php script (like magic_quotes which I hate so much)
However If your using Mysqli or PDO, I am unaware if they support multiple queries.
My method for preventing SQL, XSS, etc is:
1. Always use raw input (ignore magic_quotes, etc) -- This means you are in charge of escaping anything
2. Always addslashes() on mysql query strings, or intval() for integers (no where else, as they dont need it)
3. Always use htmlspecialchars() or htmlentities() on output (not on storage, as its not needing to be escaped yet)
4. Always use urlencode() on items passed through a url
5. Any places where needed validate for CSRF (Cross site request forging) - BIGGEST PAIN IN THE ARSE!
5. Always do input validation. -- MOST IMPORTANT
I personally have an input() function which works with the filter functions in PHP, which gets the POST and GET variables and also handles CLI input, which handles validation of email, url, etc. This ensures I only get the values I want, then everything is passed raw to any objects, functions, etc. It is the places which output or store which should be incharge of escaping unsafe characters, not over the whole php script (like magic_quotes which I hate so much)
Although the best security is a good database abstraction class, it never hurts to create some more access-limits. It makes great sense to only allow select-db access for non-registered guests who won't be able to edit the database anyways. If it doesn't cause unnecessary problems for you, it seems like a decent security measure. Don't feel overly secure and feel like you don't need to keep your code clean and well-written because of it, though. Evil-doers will have no problem registering a regular account on your site if they are truely determined.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
You know... I never even thought of that. I always thought it was a bad thing that mysql_query had that limitation.ReDucTor wrote:If your using mysql mysql_query() does not allow multiple queries
*cough*mysql_escape_string()*cough*ReDucTor wrote:2. Always addslashes() on mysql query strings, or intval() for integers (no where else, as they dont need it)
... Why? That wouldn't help MySQL.ReDucTor wrote:4. Always use urlencode() on items passed through a url
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm