Home arrow PHP arrow Database and Password Security for Web Applications

Database and Password Security for Web Applications

In this article we will discuss security for databases accessed through the Internet. We will also examine the issue of password management, since handling that task properly will help us make our web site and its applications more secure. This is the seventh part of an eight-part series that shows you how to build security into an application for an Internet cafe.

TABLE OF CONTENTS:
  1. Database and Password Security for Web Applications
  2. The Password Management Script
  3. The Code
  4. Code continued
By: David Web
Rating: starstarstarstarstar / 4
November 03, 2008

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Database Security

Because of the popularity of PHP and its ability to work with a wide variety of databases, security in retrieving and posting data has become a serious issue. Below is a list of some of the databases that PHP supports:

  • DB2
  • ODBC
  • SQLite
  • InterBase
  • Oracle
  • Sybase
  • MySQL
  • PostgreSQL
  • DBM


As with any remote data store, databases carry their own security risk. First, putting data into, or retrieving data from, a remote database exposes your data to the Internet or whatever medium you are using. Second, you will need to use connection credentials to access that remote database, which can also be intercepted.

Therefore, all input must be filtered, and all output must be escaped. When dealing with a database, this means that all data coming from the database must be filtered, and all data going to the database must be escaped. For example, if you only filter data when you put it into the database and do not escape it when retrieving it, then you might get data that contain slashes and other undesirable characters in your text. For example, if filtered, the text below

“I’ve been working all night.”

will be stored in the database in the following format:

“I/’ve been working all night.”

This is because an apostrophe usually causes an error when used in an insert query. When retrieving this text from the database, you will use something like the stripslashes() function to remove the slashes from the text, so you’ll get this:

“I’ve been working all night.”

This is not a security risk; I'm just using this example to show the importance of escaping and filtering data. To properly escape data for insertion into MySQL databases, use the new mysql_real_escape_string(). This function is used to escape special characters in a string for use in a SQL statement. Below is an example of how to use this function:

<?php

// Connect

$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')

OR die(mysql_error());

//clean using mysql cleaner

$cleanuname=mysql_real_escape_string($n);

$cleanupass=mysql_real_escape_string($p);

?>

It is common practice with most developers (including myself) not to filter data that comes from the database. Though the security risk that we take is small, it is still better to take the “better safe than sorry” attitude in these cases. What we are saying by implication is that we should trust the security of the remote database, and as I’ve bitterly discovered recently, we should not take risks like that with sensitive information from clients. It is better to use even redundant safeguards, because as happened to me, if malicious data is somehow injected into the database, that redundant filtering can catch it, and save the day.



 
 
>>> More PHP Articles          >>> More By David Web
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

PHP ARTICLES

- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: