Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Worried about security, some help? 2

Status
Not open for further replies.
beltmanjr

beltmanjr

Technical User
Oct 29, 2007
333
NL
Hi all,
I'm working on the website for our charity and like more people on this forum I am very concerned about security regarding user information in the database and people abusing the site by inserting some weird coding in the URL or forms.

I know I should be checking the form input, probably do some encoding, adding slashes etc so any programming language in there would become useless, but what else can I do?

The site only has 2 public forms using the POST method and is largely based on wordpress.

I'm also very concerned about the manner in which a database connection is made. The only way I know of is by actually putting the username and password in the connection string in a php file, but that seems rather dangerous to me? I put the file in a seperate dir with a CHMOD of 500. The user does have full access as it needs to read and write to the database....

All help on getting the security tip-top is highly appreciated.
 
Sort by date Sort by votes
Use mysql_real_escape_string for all entries in the $_POST array. That should stop a sql injection. As for the connection string, as long as your webserver is using PHP correctly, that will never be shown to the user. So it's fine to leave it in the code.

I assume that MySQL is local to the webserver (on the same machine). If that is the case, don't allow remote connections to the database. Then it doesn't matter if that user/password are compromised, no one can get to it anyway.

Just with those two suggestions, I don't think your database could be damaged or hacked. As long as you are validating the form data for the database (alpha characters don't go into integer fields), I think you'll be fine.

Mark
 
Upvote 0 Downvote
I put the file in a seperate dir with a CHMOD of 500. The user does have full access as it needs to read and write to the database...
Click to expand...

No. Your web server needs access to it, not the remote user. Put anything that does not need to be called directly (included files, for instance) outside of your web root.

So, instead of:
[tt].../htdocs/index.php
/htdocs/settings/passwords.php[/tt]

[tt]Do something like:
.../htdocs/index.php
.../settings/passwords.php[/tt]


+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)
 
Upvote 0 Downvote
Thnaks both,
great ideas including some things so simple but I just never realized. Absolutely very helpful
 
Upvote 0 Downvote
The site only has 2 public forms using the POST method and is largely based on wordpress.
Click to expand...
as long as you are using an up to date version of WP and you are not using any plugins with security holes, you should be ok on sql injection.

For extra security you might look at the PDO extension I have written for WP (rathercurious.net). the extension recrafts all queries on the fly to use a prepare->execute methodology with stored parameters that are automagically escaped and enquoted by the relevant database driver (for better security).

if you are worried about the database connection string then move wp-config.php outside of the root and then recreate the wp-config.php file with a require_once to the relevant target file. however so long as your webserver is working finr the wp-config.php file should be pretty secure where it is; as if the webserver is functional it will serve it through php and as a result will not render any content.

We have a new wordpress forum on this site. so if you do have any WP insights that you want to share, or questions to ask, then please head over to
 
Upvote 0 Downvote
Just successfully 'hacked' my own form by putting java script in there... Using the strip_tags function resolved that one very nice.

Any other things I need to think about besides all the great comments above?
 
Upvote 0 Downvote
beltmanjr
the vulnerability that you mention is not known to me. please would you post your experience (with sample code) in the wp forum of this site that we can all learn from you?

thanks

 
Upvote 0 Downvote
Hi jpadie,
this isn't wordpress specific, simply a form entry issue.
I.e. I'd put some simple javascript code in an input box like
Code: 
<script type="text/javascript">alert('hi there');</script>

And I'm not certain what trouble one could cause by inserting this, but can imagine it could break your coding and if submitted to a database and later read for on a public part of the site it could display some nasty messages to the users.... Better to make certain nothing like this can happen I'd say

 
Upvote 0 Downvote
ah.
this is a database display issue really. if this is a concern for you it is probably better to filter output than input as there may be entirely valid reasons for storing this kind of information in a database. use htmlspecialchars or htmlentities() on the output.
 
Upvote 0 Downvote
I'm actually, but my forms are about personal information etc, so no need for any java or what ever kind of scripting. In this case the strip_tags function is extremely helpful
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dball63
  • Locked
  • Question
Noob Needs some help making HTML edits on PHP page
Replies
6
Views
261
spamjim
spamjim
virtualtom
  • Locked
  • Question
Can ankyone help me extract the data that passes thru this form?
Replies
1
Views
158
spamjim
spamjim
Swi
  • Locked
  • Question
Help on depreciated statement. 2
Replies
6
Views
197
Swi
Swi
BobMCT
  • Locked
  • Question
Question about executing functions?
Replies
2
Views
136
feherke
feherke
BobMCT
  • Locked
  • Question
Some in_array logic help please?
Replies
2
Views
117
BobMCT
BobMCT

Part and Inventory Search

Sponsor

Back
Top