I think a complete all-in-one book could be good for you. So gets yourself a book and read it through, after that come back to your project and start thinking about your overall code design.WithHisStripes wrote:Hey kaisellgren, thanks for the feedback. I guess I just don't understand what makes executing PHP from a record a security risk if the only way to insert a record is password protected either using CPanel or a adminstrator login module.
And as for learning more PHP, can you be more specific? I don't take offense to that - I have zero formal education and I've learned everything I know from helpful folks like you and tutorials. So I'd love to hear where you think I need to have a better understanding?
Thanks!
Executing PHP that is stored in a MySQL record
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Executing PHP that is stored in a MySQL record
-
WithHisStripes
- Forum Contributor
- Posts: 131
- Joined: Tue Sep 13, 2005 7:48 pm
Re: Executing PHP that is stored in a MySQL record
All right, thanks again guys!
-
WithHisStripes
- Forum Contributor
- Posts: 131
- Joined: Tue Sep 13, 2005 7:48 pm
Re: Executing PHP that is stored in a MySQL record
I have another question...
I'm working on a pre-existing Drupal website. And the previous developer used PHP includes on certain pages. Because I've seen this done on so many other websites it makes me think that there is a safe way to do that, considering the page content is also stored in a database. Am I wrong? If so, why is this so widely used and what exactly does one mean when they say it makes it "vulnerable" - like can I have an example?
Thanks again guys.
I'm working on a pre-existing Drupal website. And the previous developer used PHP includes on certain pages. Because I've seen this done on so many other websites it makes me think that there is a safe way to do that, considering the page content is also stored in a database. Am I wrong? If so, why is this so widely used and what exactly does one mean when they say it makes it "vulnerable" - like can I have an example?
Thanks again guys.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Executing PHP that is stored in a MySQL record
Well of course nothing like having PHP in the db itself does not make you vulnerable yet.WithHisStripes wrote:I have another question...
I'm working on a pre-existing Drupal website. And the previous developer used PHP includes on certain pages. Because I've seen this done on so many other websites it makes me think that there is a safe way to do that, considering the page content is also stored in a database. Am I wrong? If so, why is this so widely used and what exactly does one mean when they say it makes it "vulnerable" - like can I have an example?
Thanks again guys.
There are many situations. A moderator inserting an article to your site -- uses PHP to hack into your system. An SQL injection hole allows an attacker to gain access to the whole filesystem -- not just into the database!
You really should not be doing this with your level of knowledge. Yet you have no reasons to do so since you can have the PHP code in a file. You may also write a template system, a template parser, plugin system, which all makes everything possible without having PHP code in the db and later executed.
Re: Executing PHP that is stored in a MySQL record
Having your code in the database is not only unsecure (attacker gains access to the database can now also affect the entire system) but it is also highly unmaintainable. You can no longer access code directly, but must go through some kind of interface (to the database), IDE and text editors don't support this directly, you can't version your source code with standard versiosing schemes (such as SVN) and performance is highly degraded (static file access versus database access and eval()). You can no longer use op-code caches such as APC, and you have to keep track of your internal logic for distributing code on the database (which will also make it very hard for other developers to maintain your work).
In short - there is no good reason to do this, but plenty of reasons against.
In short - there is no good reason to do this, but plenty of reasons against.
-
WithHisStripes
- Forum Contributor
- Posts: 131
- Joined: Tue Sep 13, 2005 7:48 pm
Re: Executing PHP that is stored in a MySQL record
I'm sorry, I think you're under the impression I'm talking about storing my module code within the database, earlier in my thread I was, but now I'm just talking about using an include.
Re: Executing PHP that is stored in a MySQL record
If you're talking about include vulnerabilities, the main problem is using user input in the include. If not carefully filtered, a malicious user can cause your script to include sensitive files (password files, settings files etc.) thereby endangering the system.
-
WithHisStripes
- Forum Contributor
- Posts: 131
- Joined: Tue Sep 13, 2005 7:48 pm
Re: Executing PHP that is stored in a MySQL record
Ahhh, okay now that makes sense.
So that's when you use like... oh what are they called... striplashes? So it checks the code for injected SQL or PHP?
But other than that, (generally speaking of course) it's okay to use an include in a SQL record that's used by the client?
So that's when you use like... oh what are they called... striplashes? So it checks the code for injected SQL or PHP?
But other than that, (generally speaking of course) it's okay to use an include in a SQL record that's used by the client?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Executing PHP that is stored in a MySQL record
You seem to be a bit out of the world. I really just suggest you to not store PHP in the database at all, and include files defined by yourself - not defined by your users unless you really can filter out all potential LFI and RFI attacks.WithHisStripes wrote:Ahhh, okay now that makes sense.
So that's when you use like... oh what are they called... striplashes? So it checks the code for injected SQL or PHP?
But other than that, (generally speaking of course) it's okay to use an include in a SQL record that's used by the client?
-
WithHisStripes
- Forum Contributor
- Posts: 131
- Joined: Tue Sep 13, 2005 7:48 pm
Re: Executing PHP that is stored in a MySQL record
Well I've had to ask the same question many times to just get a simple, direct, specific answer. Which is really frustrating, but I do appreciate your guys' help despite that.
All I've wanted to know is exactly, specifically, how do I tell PHP to process a MySQL record that has a PHP include? I don't know how else I can say it to get a straight answer.
I don't want to be rude, because you guys are volunteering your help and I really appreciate it, but it's super frustrating that I can't just get a direct answer, like with an example or a link to a tutorial. Drupal allows for PHP includes in their story/page content and so does Joomla, I'm just looking to replicate that.
All I've wanted to know is exactly, specifically, how do I tell PHP to process a MySQL record that has a PHP include? I don't know how else I can say it to get a straight answer.
I don't want to be rude, because you guys are volunteering your help and I really appreciate it, but it's super frustrating that I can't just get a direct answer, like with an example or a link to a tutorial. Drupal allows for PHP includes in their story/page content and so does Joomla, I'm just looking to replicate that.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Executing PHP that is stored in a MySQL record
WithHisStripes wrote:Well I've had to ask the same question many times to just get a simple, direct, specific answer. Which is really frustrating, but I do appreciate your guys' help despite that.
All I've wanted to know is exactly, specifically, how do I tell PHP to process a MySQL record that has a PHP include? I don't know how else I can say it to get a straight answer.
I don't want to be rude, because you guys are volunteering your help and I really appreciate it, but it's super frustrating that I can't just get a direct answer, like with an example or a link to a tutorial. Drupal allows for PHP includes in their story/page content and so does Joomla, I'm just looking to replicate that.
Code: Select all
<?php
$result = mysql_query("SELECT phpcode FROM codedatabase WHERE filename='mymodulecode.php';");
$arr = mysql_fetch_row($result);
eval($arr[0]);
?>