Page 1 of 1
Security! XSS issues when using XML
Posted: Tue Feb 12, 2008 3:16 pm
by greyhoundcode
If, rather that holding data in a MySQL database, I maintain it within XML files, am I improving security, degrading security or does it make no difference?
My initial assumption was that I would be eliminating the need to worry about SQL injections. However, I have a niggling feeling that I am missing something obvious ...
Does anyone have any security tips specific to using XML with PHP?
Re: Security! XSS issues when using XML
Posted: Tue Feb 12, 2008 3:56 pm
by Christopher
There are some simple steps you can take to greatly reduce the threat of SQL injection. I would recommend doing that whatever data source you use. Is you site frequently hacked or contain ultra sensitive information?
Re: Security! XSS issues when using XML
Posted: Tue Feb 12, 2008 4:00 pm
by Jonah Bron
Anything to throw into the search box?
Re: Security! XSS issues when using XML
Posted: Tue Feb 12, 2008 5:02 pm
by Jonah Bron
XML, that is.

Re: Security! XSS issues when using XML
Posted: Wed Feb 13, 2008 12:02 pm
by greyhoundcode
Here's what I'm getting at:
Rather than have a SQL-based database of registered users, amongst other things, I would like to store it as XML; that's a personal preference rather than a practical necessity. In itself this is not difficult, but of course when the file (let's call it myusers.xml) is uploaded to the server it means that anyone can access the contents of the file, simply by typing
http://www.mydomain.co.uk/myusers.xml.
Since they would then see the contents of the file, including usernames and passwords, this isn't much use. Surfing around a bit, looking at the W3C site and others, I see that there is a proposal for some form of access control for XML - an <access-control> tag and a specification for a new security language defining permissions - but these (so far as I can tell) seem not to have progressed passed the proposal stage.
... to cut a long story short, I suppose my question boils down to this - is there a way to change settings (on the server) so that a given file type, ie .xml, can only be accessed by scripts from that domain, rather than been seen by any old browser?
Re: Security! XSS issues when using XML
Posted: Wed Feb 13, 2008 1:39 pm
by Jonah Bron
Or better yet, only a script on that server with a specified pass, in case someone hacks, or does
this.
Re: Security! XSS issues when using XML
Posted: Wed Feb 13, 2008 2:47 pm
by Benjamin
Just put it above the document root. If you can't do that, you can put it in a folder and user .htaccess to forbid access to the folder via http requests.
Re: Security! XSS issues when using XML
Posted: Thu Feb 14, 2008 8:34 pm
by Ambush Commander
greyhoundcode: You should seriously reconsider using databases for large amounts of small data. Databases are built for that sort of thing: they implement indexes and other tricks to make sure you don't have to traverse half the XML file to get to the info you want.
That being said, treat your XML file as if it were /etc/.passwd; keep it out of the web-root, etc.
W3C access control specs have more to do with cross-domain XML sharing and not your local security.