Re: Database security - PHP code

From: Michael Fesser (netizen_at_gmx.net)
Date: 10/14/04 

Date: Thu, 14 Oct 2004 19:44:11 +0200

 .oO(Dariusz)

>I have been reading a little that you should secure your PHP code to
>prevent SQL injection into a database (MySQL in my instance), mainly by
>checking the type of data to be put into a database, and if text, to
>addslashes() the data.
>
>What I have not managed to find out, is does SQL injection threaten the
>input of data into a database

Yep.

>, ie a guestbook, or the reading of a database
>where the user would not know if the data is being read from a database?

Not directly, but the problem is more complex.

An example: It could be possible for an attacker to insert SQL-code into
the database. The application escapes all quotes, so it does no harm on
input. But even if the code made it "defused" into the database doesn't
mean the problem is solved. The injected code could still start its
malicious work when the application fetches the data from the db and
uses it again in another query. Usually no one escapes data obtained
from the db, because it's considered "safe" ...

>Is there anything else to consider to make a database more secure?

Even if the data is already in the system, it should _not_ be used
directly in other querys without validating/escaping it again.

And some SQL servers are vulnerable to a lot more and different variants
of SQL injection (Google for "advanced SQL injection").

>In particular, I have read here a few months back that it's a good idea to
>keep the username / password of the connection outside the root of the
>website. How would I access the password file then? What I mean is, if I
>want a certain file in my site I could access it by writing:
>
>www.mysite.com/password.php

Why would you want a password be accessible with HTTP?

>But as it would now be outsite the root, how would I be able to get to the
>password.php file?

PHP is able to access files directly through the filesystem.

Micha

Relevant Pages

  • Re: SQL Injection Legalities
    ... I am currently writing the SANS Step-by-step guide to securing Oracle ... Oracle database, application server et al to secure it. ... >This was being discussed as a legal issue in pen-test, but I was curious if>anyone else has thought of using SQL Injection to cause a DoS. ... The second OR is>only to maintain a valid SQL statement (assuming the final character in the>query will be a single quote). ...
    (Vuln-Dev)
  • RE: SQL Injection Legalities
    ... anyone else has thought of using SQL Injection to cause a DoS. ... The search box could be used to extend the SQL query to include something ... The DoS is in the inner query, and caused by the cartesian product (joining ... This will most likely cause the database to a) Use up all available CPU ...
    (Vuln-Dev)
  • Re: submitted data not updated promptly with ms access
    ... therefore, before writing to the database, i ... using sql injection ... Using an expensive recordset to run a query that does not retrieve ... is what I suspect you want to do, although I don't really know why you wish ...
    (microsoft.public.inetserver.asp.db)
  • Re: Executing PHP files on remote web server
    ... The syntax may be different between programming languages and database engines, but the concept of avoiding SQL injections isn't that different. ... SQL injection from a DBA's perspective is completely different from that of a programmer. ... Quite frankly, while you have good experience in database administration and Unix administration, I see virtually nothing in this which provides the necessary experience for programming. ...
    (comp.lang.php)
  • RE: SQL injection from within a table - is it possible?
    ... I would assume that all parsers would parse the /entire/ sql query ... Suppose your username was "bob", ... Going back to your initial question about a "stored" SQL Injection ... Is it possible to store an SQL injection string into a MSSQL database ...
    (Pen-Test)