 
Last Login:
Warn:
 Rank: Member Member Points: 50 
Joined August 06, 2005
|
Web Programming Help
Posted on December 22, 2006 at 22:18
Recently, I've been working on a blog system for my website, <a href='http://www.64digits.com/octopus'>Octopus's Garden</a>. The system uses MySql for comments, users, and blogs, unlike the current site's system, which reads information from text files. I've read a little bit about the security issues of MySql, but I'm still not sure exactly how to fix them. Here are some of my questions:
<b>I.</b> How does one deal safely with the password used to connect to MySql. Is the following insecure within a PHP file? $db_host = 'host'; $db_user = 'username'; $db_password = 'password'; $db_name = 'database'; mysql_connect($db_host,$db_user,$db_password); -Would it be possible for a hacker to access the raw PHP source? If so, where would the password be stored. -Is it possible for the transfer between this PHP script and MySql to be intercepted? If so, is the password automatically encrypted, or should I encrypt it somehow? <b>II.</b> How does one screen user inputs so that they do not interfere with the MySql structure. Is there an equivalent of strip_tags() or must one use some sort of index system to replace possibly dangerous user data? [Answered, thanks to melee-master: http://us2.php.net/manual/en/function.mysql-real-escape-string.php] <b>III.</b>How does one deal with user passwords: -Are the passwords sent in an encrypted form when they are sent using < input type='password'>? -How does one encrypt user passwords to be placed in the MySql Database? I'd probably be able to figure this out, but if someone wants to tell me... <b>IV.</b> I'm using cookies to store a person's login status. How should this be made secure? By inserting an encrypted password and checking it on each page? If you have any other insight about Securing such a system, please give it. Thanks. -Mooselumph
+0
Dev - Er, any ideas how to make this work?
Related Posts Dev - Warning Dev - After editing rating, make rating display change Dev - When editing, update "edited" column Dev - Restore deleted comments Dev - Display deleted comments if mod (hidden, then with dropdown) Dev - After deletion or during edit, make rating dropdown appear again Dev - Stricter rating rules. Prevent user from rating again Dev - Pages Dev - Reporting
Thanks, melee.
Heh, no problem.
III: md5() on the password strings when first saving the password, then again when checking it.
@Melee-Master:
I found this warning: "Be sure that your application remains secure if a user enters something like “; DROP DATABASE mysql;”. This is an extreme example, but large security leaks and data loss might occur as a result of hackers using similar techniques, if you do not prepare for them." It doesn't look like mysql_real_escape_string() protects against that. Does it? @flashback: Wow, I thought it was more complicated than that. I guess it's probably horribly complicated above the interface level. Quote 4 - I genorated a random string (50 characters) and set that in a cookie. 3 - no, not encrypted in an input type use $_POST["pass"] or something like that That sounds like a good solution for IV. I'm using < form method='post' ...> < input type='password' ...>... < /form> Is that what you mean? 
Keeping your database details in PHP file is usually how they do it, it's safe aslong as you don't leave it open to attack.
Adding on to what Flashback said, MD5 is a hashing algorithm, they're used to make a 'fingerprint' of data. You cannot turn hashes back into the original passwords, so that's why they're used. You may also want to check out SHA-1 and SHA-256 as they are considerably stronger. Store login status using the sessions system built into PHP. Never store passwords in cookies. Quote flashback: Wow, I thought it was more complicated than that. I guess it's probably horribly complicated above the interface level. It is if you're like me and use a 7-layer, multi-algorithm system. Quote Adding on to what Flashback said, MD5 is a hashing algorithm, they're used to make a 'fingerprint' of data. You cannot turn hashes back into the original passwords, so that's why they're used. You may also want to check out SHA-1 and SHA-256 as they are considerably stronger. So, basically, during login, you compare hashes of passwords rather than actual passwords. Quote It is if you're like me and use a 7-layer, multi-algorithm system. Heh, I don't think I'm going to worry about making it that secure. 
I: no.
II: okay, answered. II: as long as the code is within that file. (dont use $_GET) IV: dont know. |
Recent Activity
|
64Digits attacked by new meteor shower DDoS attack. Over 1000 meteor attacks/sec
mysql_real_escape_string(string);