Security! XSS issues when using XML

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
greyhoundcode
Forum Regular
Posts: 613
Joined: Mon Feb 11, 2008 4:22 am

Security! XSS issues when using XML

Post by greyhoundcode »

If, rather that holding data in a MySQL database, I maintain it within XML files, am I improving security, degrading security or does it make no difference?

My initial assumption was that I would be eliminating the need to worry about SQL injections. However, I have a niggling feeling that I am missing something obvious ...

Does anyone have any security tips specific to using XML with PHP?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Security! XSS issues when using XML

Post by Christopher »

There are some simple steps you can take to greatly reduce the threat of SQL injection. I would recommend doing that whatever data source you use. Is you site frequently hacked or contain ultra sensitive information?
(#10850)
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Security! XSS issues when using XML

Post by Jonah Bron »

Anything to throw into the search box?
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Security! XSS issues when using XML

Post by Jonah Bron »

XML, that is. :wink:
User avatar
greyhoundcode
Forum Regular
Posts: 613
Joined: Mon Feb 11, 2008 4:22 am

Re: Security! XSS issues when using XML

Post by greyhoundcode »

Here's what I'm getting at:

Rather than have a SQL-based database of registered users, amongst other things, I would like to store it as XML; that's a personal preference rather than a practical necessity. In itself this is not difficult, but of course when the file (let's call it myusers.xml) is uploaded to the server it means that anyone can access the contents of the file, simply by typing http://www.mydomain.co.uk/myusers.xml.

Since they would then see the contents of the file, including usernames and passwords, this isn't much use. Surfing around a bit, looking at the W3C site and others, I see that there is a proposal for some form of access control for XML - an <access-control> tag and a specification for a new security language defining permissions - but these (so far as I can tell) seem not to have progressed passed the proposal stage.

... to cut a long story short, I suppose my question boils down to this - is there a way to change settings (on the server) so that a given file type, ie .xml, can only be accessed by scripts from that domain, rather than been seen by any old browser?
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Security! XSS issues when using XML

Post by Jonah Bron »

Or better yet, only a script on that server with a specified pass, in case someone hacks, or does this.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Security! XSS issues when using XML

Post by Benjamin »

Just put it above the document root. If you can't do that, you can put it in a folder and user .htaccess to forbid access to the folder via http requests.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Re: Security! XSS issues when using XML

Post by Ambush Commander »

greyhoundcode: You should seriously reconsider using databases for large amounts of small data. Databases are built for that sort of thing: they implement indexes and other tricks to make sure you don't have to traverse half the XML file to get to the info you want.

That being said, treat your XML file as if it were /etc/.passwd; keep it out of the web-root, etc.

W3C access control specs have more to do with cross-domain XML sharing and not your local security.
Post Reply