Security of MYSQL database and PHP

Forum Moderators: open

Message Too Old, No Replies

Security of MYSQL database and PHP

Ann_G

8:12 pm on Mar 7, 2006 (gmt 0)

How secure is a MYSQL database?

I have a MYSQL database that people can enter information into through a form (PHP script).
Only I have access to the MYSQL database, but the form will be available to the public. My database connection script is in a separate folder from the php and html files.

I just like to get an idea if a MYSQL db is very secure, medium or less. How does it compare to other databases in this respect.

whoisgregg

12:35 am on Mar 8, 2006 (gmt 0)

Secure enough where the security of the database program itself will probably never be your concern.

The code that you or your programmer(s) write to connect the two is where most security vulnerabilities emerge.

Another likely culprit is poor access information control (passing around mysql/ssh/ftp usernames and passwords) or if you are on shared hosting, then a compromise of the server itself could lead to a breach. (Because the aggressor would likely be able to find the username and password to connect to your database.)

Regardless of what database you use, it's easy to make it very insecure through simple programming errors.

Ann_G

8:09 pm on Mar 8, 2006 (gmt 0)

Thanks!

That clarifies it and I realize I better check my code although I know to use superglobals, isset(), etc.

jamie

8:37 pm on Mar 8, 2006 (gmt 0)

hi ann,

a good way to secure mysql is to be frugal with permissions. if your form is only allowed to enter data into the db, then create a user who only has insert permissions and make sure the form connects to the db using that user. that way, even if they get the password they can not delete or modify data.

carguy84

5:46 am on Mar 9, 2006 (gmt 0)

type this into your form and submit it and see what happens:

hi' or 1=1--

Ann_G

5:32 pm on Mar 9, 2006 (gmt 0)

I typed hi' or 1=1--
into my form and had no problem that is, it registered exactly as I wrote it and I could retireve it exactly as hi' or 1=1--

Does this mean my code passed the test?

Demaestro

6:24 pm on Mar 9, 2006 (gmt 0)

If you really want to make sure your DB is secure make sure that any SQL methods that get run from webforms is not vulnerable to SQL insertion attcks. These are becoming more and more popular.

An example.

You have a serch box on your website that queries the DB, an argument is taking in called searchable_text. Which is the text someone types into the search box. That argument gets passed to the select query. Now say someone spoofs the form or submits a string value like this:

serachtext;'drop table member;

Now if you aren't quoting strings the single quote and ; can terminate your select stament and start a new query. This is a rough example and more sifistacting attacks exist of this type, but it is something you need to watch for, make sure you double up the single quotes of any string you pass to SQL as an argument. There are other steps that can be taken, but I have been listening on 10 of my top sites for these types of attacks and they are almost as popular as the phpmyadmin and mambo attacks I get.

carguy84

7:52 am on Mar 10, 2006 (gmt 0)

I believe it's actually
serachtext';drop table member;

I mean, a friend told me about it, ya.