Sign In
Create Account
Follow Us on Twitter
Subscribe on Youtube
I have created some PHP queries into a MySQL DB. Right now I do not have any security to run the queries. The SQL DB names and passwords are in clear text in the PHP code. I do not have any “log in” to use it. Totally exposed. All you need is the URL.
Is there any recommendations on tools or lessons on what or how I can build some security into my PHP application?
Thanks,
Jon
6 replies to this topic
Back to top|
|
|
#2
Posted 08 December 2008 - 10:14 AM
WingedPanther
-
- Moderators
-
- 16,831 posts
A spammer's worst nightmare
Your explanation of what is happening seems pretty vague: Are you allowing users to specify the queries that are run? If not, I don't see what the security issue is. As for logging in, simply create a login for a session that users must use before the queries are run.
Note: users cannot see your PHP code, just the generated HTML.
Note: users cannot see your PHP code, just the generated HTML.
#3
Posted 08 December 2008 - 12:41 PM
ezcat
-
- Members
-
- 39 posts
Learning Programmer
Thanks, I have the login covered. I guess I don't need to worry about that's in the PHP code because as you say, "users cannot see PHP code".
Jon
Jon
#4
Guest_Jordan_*
Posted 09 December 2008 - 05:27 AM
Guest_Jordan_*
Guest_Jordan_*
-
- Guests
If you are using input from the user to execute the SQL commands, such as this:
You need to clean the tainted data or risk SQL injection. You can clean it using:
PHP: mysql_real_escape_string - Manual If you are using MySQL
OR
PHP: addslashes - Manual
$query = "SELECT * FROM tblname WHERE username='{$_POST['name']}'";
You need to clean the tainted data or risk SQL injection. You can clean it using:
PHP: mysql_real_escape_string - Manual If you are using MySQL
OR
PHP: addslashes - Manual
#5
Guest_Jaan_*
Posted 09 December 2008 - 06:53 AM
Guest_Jaan_*
Guest_Jaan_*
-
- Guests
also.. when you use PHP: addslashes - Manual function then you should use PHP: stripslashes - Manual function to show your text correctly :)
#6
Guest_Jordan_*
Posted 09 December 2008 - 07:24 AM
Guest_Jordan_*
Guest_Jordan_*
-
- Guests
You could also use prepared statements, take a look at my latest tutorial: http://forum.codecal...statements.html
#7
Posted 09 December 2008 - 01:20 PM
ezcat
-
- Members
-
- 39 posts
Learning Programmer
Thanks for the info on "tainted data ". What I'm currently doing, is loading the DB table in an array and searching the array using user input. The table is not very large. I will also look at the tutorial.
Thanks,
Jon
Thanks,
Jon
