If, rather that holding data in a MySQL database, I maintain it within XML files, am I improving security, degrading security or does it make no difference?
My initial assumption was that I would be eliminating the need to worry about SQL injections. However, I have a niggling feeling that I am missing something obvious ...
Does anyone have any security tips specific to using XML with PHP?
Security! XSS issues when using XML
Moderator: General Moderators
- greyhoundcode
- Forum Regular
- Posts: 613
- Joined: Mon Feb 11, 2008 4:22 am
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: Security! XSS issues when using XML
There are some simple steps you can take to greatly reduce the threat of SQL injection. I would recommend doing that whatever data source you use. Is you site frequently hacked or contain ultra sensitive information?
(#10850)
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: Security! XSS issues when using XML
Anything to throw into the search box?
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: Security! XSS issues when using XML
XML, that is. 
- greyhoundcode
- Forum Regular
- Posts: 613
- Joined: Mon Feb 11, 2008 4:22 am
Re: Security! XSS issues when using XML
Here's what I'm getting at:
Rather than have a SQL-based database of registered users, amongst other things, I would like to store it as XML; that's a personal preference rather than a practical necessity. In itself this is not difficult, but of course when the file (let's call it myusers.xml) is uploaded to the server it means that anyone can access the contents of the file, simply by typing http://www.mydomain.co.uk/myusers.xml.
Since they would then see the contents of the file, including usernames and passwords, this isn't much use. Surfing around a bit, looking at the W3C site and others, I see that there is a proposal for some form of access control for XML - an <access-control> tag and a specification for a new security language defining permissions - but these (so far as I can tell) seem not to have progressed passed the proposal stage.
... to cut a long story short, I suppose my question boils down to this - is there a way to change settings (on the server) so that a given file type, ie .xml, can only be accessed by scripts from that domain, rather than been seen by any old browser?
Rather than have a SQL-based database of registered users, amongst other things, I would like to store it as XML; that's a personal preference rather than a practical necessity. In itself this is not difficult, but of course when the file (let's call it myusers.xml) is uploaded to the server it means that anyone can access the contents of the file, simply by typing http://www.mydomain.co.uk/myusers.xml.
Since they would then see the contents of the file, including usernames and passwords, this isn't much use. Surfing around a bit, looking at the W3C site and others, I see that there is a proposal for some form of access control for XML - an <access-control> tag and a specification for a new security language defining permissions - but these (so far as I can tell) seem not to have progressed passed the proposal stage.
... to cut a long story short, I suppose my question boils down to this - is there a way to change settings (on the server) so that a given file type, ie .xml, can only be accessed by scripts from that domain, rather than been seen by any old browser?
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: Security! XSS issues when using XML
Or better yet, only a script on that server with a specified pass, in case someone hacks, or does this.
Re: Security! XSS issues when using XML
Just put it above the document root. If you can't do that, you can put it in a folder and user .htaccess to forbid access to the folder via http requests.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Re: Security! XSS issues when using XML
greyhoundcode: You should seriously reconsider using databases for large amounts of small data. Databases are built for that sort of thing: they implement indexes and other tricks to make sure you don't have to traverse half the XML file to get to the info you want.
That being said, treat your XML file as if it were /etc/.passwd; keep it out of the web-root, etc.
W3C access control specs have more to do with cross-domain XML sharing and not your local security.
That being said, treat your XML file as if it were /etc/.passwd; keep it out of the web-root, etc.
W3C access control specs have more to do with cross-domain XML sharing and not your local security.