SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Addict
    Join Date
    Mar 2011
    Location
    Manchester, UK
    Posts
    227
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP & MySQL - Protection From Attacks?

    Hi Guys,

    I'm in the middle of creating a PHP system and i have already protected the system from MySQL Injection, is there anything else i can do to help protect it and if so are there any examples?

    Thanks guys!

  2. #2
    SitePoint Addict
    Join Date
    Apr 2011
    Posts
    265
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Hy,
    I use:
    PHP Code:

    $_POST 
    array_map("strip_tags"$_POST);
    $_POST array_map("trim"$_POST); 
    Then mysql_real_escape_string()
    Free: Web Programming Courses HTML, CSS, Flash
    Web Programming: AJAX Course and PHP-MySQL Course video Lessons
    Good JavaScript and jQuery course for beginners

  3. #3
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    The principles are encapsulated in the term FIEO (Filter input, escape output).

    Filter input check what is being sent to you against what you expect it to be.

    eg imagine this contrived input, a GET request from a form the user filled in.

    ?edit=yes&id=12
    PHP Code:
    // leaving aside the isset() checks for brevity
    if ( !in_array($_GET['edit'], array('yes''no')) || (int)$_GET['id'] === ){
    // fail, abort, logout or send away

    }

    // get on with processing 
    In pseudo code
    Code:
    if $edit is not found in the white-list 'yes' or 'no' 
      OR 
        when I typecast id into an integer, and that returns zero
    
    Then this simple filter has detected failure.  Stop processing, send away.
    The incoming data did not fit your expectations as you filtered it.

    Another popular filter would be something which checks that an email address follows the exact pattern of characters that an email must fit within.

    It does not mean the email address exists, of course.

    nb You may well have already done these checks in Javascript, but that is a usability issue, not a security check - you always have to re-check when the stuff arrives on your server.

    Yes, even hidden fields in your form.

    Escape output in simple terms means protect the next environment you are sending this variable to so that it does not damage it.

    The steps you took to protect yourself from sql-injection are an example of just this (hopefully).

    Protecting users from XSS attacks are examples of escaping for the next environment where the next environment is a webpage.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •