Database Security

barman

Right now I'm using a seperate file to connect to my DB and send the information from the form file.

In this "send" file I have my DB name, username, and password.

Is there a more secure way of connecting to my DB and sending my form information?

Azala

1) Make a mySQL connect php file

// mySQL.php
mysql_connect(blah, blah, blah);
mysql_select_db(blah);

2) Store the file outside your www or public_html folder, if your host allows it.
3) Require the file on each side needing database access or in your index.php depending on your page setup

// myForm.php

<?php
require_once '/home/myusername/mySQL.php';  //whatever the path is to this file
if ("SUBMIT"){
   //SUBMIT DATA INTO DATABASE
}
?>

//HTML FORM DATA - SET FORM TO SEND TO ITSELF

If you use a encryption program like ionCube or Zend I believe you can safely have your mySQL.php in whatever directory as anyone opening the file wouldn't be able to read any of it.

EDIT
Remember that the most unsecure thing you can do is not validating the input you get from your form, if you skip this part, everything else is void.

barman

EDIT
Remember that the most unsecure thing you can do is not validating the input you get from your form, if you skip this part, everything else is void.

hehe had no idea, how would I validate the input?

Azala

Let's say one of your form fields is a zip code which in my country consists of nothing but numbers and is always 4 digits long.

if (is_numeric($_POST["ZipCode"]) && strlen($_POST["ZipCode"]) == 4){
    //Data allowed
}
else{
   print "Your form data has errors...";
   exit;
}

Check out mysql_real_escape_string() at this link.

Be very very sure you get this right or expect to be hacked by bots running scripts to exploit sloppy code.

EDIT
I also keep a database of zipcodes in use so that I can verify the input vs zipcodes that actually exists.

barman

Aaaahhh I see what you mean now, most of my data is pre-selected menus and radio buttons, but I do seee what you mean about verifying it all.

I would like to prevent multiple entries though... think you can give me some advice on doing that?

I have one field that is max 10 characters and I'd like to run a check on that field and have a button on the side of the field to check before people submit to save them time.

Thanks in advance! =)

Azala

Pre-selected HTML menus are not secure, the data which is sent to your page can be faked.

So, again, never ever trust the data you get from your form, even if it's hardcoded html options.

If you use a <SELECT><OPTION>Item1</OPTION><OPTION>Item2</OPTION></SELECT> then verify that the FORM data is either Item1 or Item2.

Also use mysql_real_escape_string before you insert the data.

What exactly do you want to check in your max 10 char field?

You want to prevent multiple entires of what, please be abit more detailed 🙂

barman

Well there's 2 things I want to check:

1 - check to make sure it's 4 char minimum
2 - check to make sure these char's are NOT in the name: % ; : ' . , `

Thanks =)

barman

I have 2 files to send the data and a seperate connect.php also. How would I impletement the mysql_real_escape_string into this code for the verification check? Maybe you can OVERHAUL my newbie newbie code ^_ :p

File1:

<?php
$name = $_POST["name"];
$level = $_POST["level"];
$char = $_POST["char"];
?>
<form method="POST" action="../save.php">
Name&nbsp;<input type="text" size="12" maxlength="10" name="name"><br>
Level Guess&nbsp;<select name="level">
<option>001-099</option>
<option>100-199</option>
<option>200-299</option>
<option>300+</option></select>
<br>
Character Type: <br>
Dark Knight<input type="radio" value="dk" name="char">&nbsp;Dark Wizard:<input type="radio" value="dw" name="char">&nbsp;Elf:<input type="radio" value="elf" name="char">&nbsp;Magic Gladiator:<input type="radio" value="mg" name="char"><br>
Enter a description or image URL of the hacker:<br>
<textarea rows="5" cols="45" name="desc" wrap="physical"></textarea><br>
255 Character Max<br><br>
<input type="submit" value="Submit" name="submit"><br>
</form>

File2 (I keep this outside of the WWW folder):

<?php
require_once '../connect.php';
if ("SUBMIT"){ 
   $name = $_REQUEST['name'];
   $level = $_REQUEST['level'];
   $char = $_REQUEST['char'];
   $desc = $_REQUEST['desc'];

   $query = "INSERT INTO `maya` ( `name`,`level`,`char`,`desc` ) 
      VALUES ( '$name','$level','$char','$desc' )";

   $results = mysql_query( $query );

   if( $results )
   {
      echo( "Successfully saved the entry." );
   }
   else
   {
      die( "Trouble saving information to the database: " . mysql_error() );
   } 
} 
?>

Azala

Simply wrap it around $name = $_REQUEST['name'];

$name = mysql_real_escape_string($_REQUEST['name']);

Remember that mysql_real_escape_string requires a database connection. If you read up on mysql_real_escape_string on php.net I believe there's a good function called quote_smart() in the comment section that takes into consideration a few other things aswell, I would go look it up and implement that if I were you.

require_once '../connect.php'; <--- This is the file you would want outside of the WWW directory, the file that inserts the data into the DB can be in the www folder, that's no problem.

In your final code, don't include mysql_error() in any errors, that makes it so much easier for anyone to get access if you have any security flaws. For debugging it's cool though, just remember to remove it.

As for 4 chars minimum, if you don't want to reload the page, you can use Javascript to check the input TOGETHER with a php check, or you can just do a PHP check.

Javascript check can't be trusted, but it will tell the user instantly if it's 4 chars or not in the field. You'll have to look up some javascript code if you want to implement that.

For php it's simple...

if (strlen($_GET['name']) > 4)
      $name = mysql_real_escape_string($_GET['name']);
else
      //some error

I would use $POST, $GET and $COOKIE instead of $REQUEST because it makes it easier to read the code, not a requirement, but a preference.

To check that it does not include % ; : ' . , ` you can do this:

$myBadCharArray = array("%", ";", ":", "'", ".", ",", "`");
if (strlen($_GET['name']) > 4){
      $name = str_replace($myBadCharArray, "", $_GET['name']); //removes any occurance of the bad chars in the variable
      $name = mysql_real_escape_string($name);
}else{
      //some error
}

Hope this helps

barman

wow this is incredible help and I really appreciate it! =)

now for this question, will this stop the script if it's lower than 4 and continue the script it's 4 or greater?

	if (strlen($_GET['name']) >= 4){ 
		$name = str_replace($myBadNameArray, "", $_GET['name']);
		$name = mysql_real_escape_string($name); 
	}else{ 
		header("Location:../view.php?v=NotSaved");
      	exit();
	}

Azala

now for this question, will this stop the script if it's lower than 4 and continue the script it's 4 or greater?

Yep.