Please help newbie with coding standard

dw89

Hi All 😃

I'm really after the best way to design and code a MySQL/PHP site for security/scalability reasons. I'm new to both as my native Db/Language is Oracle/SQL, PL/SQL. There are lots of similarities but MySQL seems VERY flaky i.e. the User tools (!) so I'm trying to understand more about using both so I don't need to use the tools so much.

Anyway here's what I have planned so far and I would really appreciate any comments that anyone can offer 🙂

MySQL:
I had intended creating the MySQL db with two separate layers i.e. TEST (database for custom tables/triggers) and APPS (for views on TEST and procedures/functions). My hope in doing this is that I give access to PHP via APPS so that direct table intervention in TEST would not be easy. Does that sound fair enough? I'm sure even then there must be a way to obfuscate my procedures/functions in MySQL?

PHP:
From my brief tutorials and searching on the PHP.net/tutorialized.com and here I seem to see a few inherent security precautions that need to be taken place:
1) Authentication
2) Validation
1) I have found an interesting article on tutorialized.com that shows the setting of a session_id (to be stored as a cookie on browser) and then an include php script on all the pages you wish to keep secure. Effectively if you have a cookie with a session id that matches the one in the db then you get access otherwise you are taken to a login page where you have to login successfully etc. It seems quite good. Is this what everyone uses?
2) On this it seems I should be using various forms of validation to prevent SQL Injection and basically prevent cr@p data. Unlike the functions used in PHP this is second nature to me so I'll look into these more.

Any info on securing data and best practice as regards the above would be really appreciated. I am looking to design something very big and want it to stand up in the commercial world without hacking! At the moment my biggest headache seems to be getting MySQL to work properly! If only Oracle was free!

Thanks

Dave

PS Can someone please tell me how to connect to a specific user in MySQL command line client? I can use 'connect test' to connect to the db but I want to connect with a specific user....in Oracle I would use conn apps/[password]@Db...which doesn't work in MySQL!

wreed

Look into phpmyadmin its a great tool to view your database and its written in PHP!

dw89

Many thanks, I didn't know about that 😃

dw89

Weird, I went to the phpmyadmin site and tried to download phpMyAdmin-2.6.4-pl3.zip and keeps saying bad file when I run winzip! Ideas? Seems to do the same on Sourceforge too.

thorpe

i would stick to postgres if possible. there are plenty of good reasons to. and php can work just as well with postgres as mysql.

edit: sorry, misread your post.

jara06

Try the tar.gz or clear your browser's cache and try again. 🙂

Ive been using "MySQL Query Browser" & "MySQL Administrator" lately. 2 program which can be found on mysql.com.
I used to use phpMyAdmin daily, and it's okay for lots of purposes.

wreed

yea download to your desktop then open , do not just do OPEN...if your cache is full you will get a corrupt message like that.

unreal128

In reference to your original post DW, I know exactly how you feel. As a newbie to PHP, this is something that I always hear about as well. Alot of the concerns had to do with abuses of form variables/validation and SQL injection. Luckily since the later revisions of PHP 4+, there have been alot of enhancements made to ensure security. This is especially true since PHP is starting to gain some steam as an "enterprise ready" app and wants to be taken seriously by bigger companies. Here are some rules that I have learned that helped me greatly in feeling more secure about my code:

1) Always assume the worst intentions with form submissions. This is the gateway for any cracker to try and break your system so they can get access to your critical data. Assume that every data field will have an SQL injection or use special control characters (use the addslashes function to remedy this.) I find it better to cycle through POST/GET variables, sanitize them and then assign a regular variable name.

2) The most common way to check user authorization in your code is to check the condition of a variable. I usually start the code by unsetting the variable and then setting it once the login/cookie has been validated with a 1 value. Later in the code you can then check to see if the variable isset() and if the value == 1. Pick something unique that you would only reference for authentication (don't make it a common variable like $username, etc...)

3) Always store sensitive data in your database as a salted/hashed string (this goes for passwords or unique identifiers.) Here is a common function I have in my library...

function encryptString($string)
{
	static $secret_word = 'mysecretwordwithnonsensephrases';
	$salted = crypt($string, "Ba");
	$hash = md5($secret_word.$salted);
	return $hash;
}

Anytime you need to compare a submitted password for example, you would run encryptString() on the submitted password and then compare the hash against the hash in the database. Salting the has beforehand adds an extra layer of security in case they try to do a brute force attack on a plain text to md5 hash.

Here is another good link on the topic http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/

AND ALWAYS REMEMBER, www.php.net IS YOUR FRIEND!!! 😃

dw89

Thanks all, I've found all the info you've given very informative. It's lucky I've got a coding/Db background otherwise it'd be a lot more complicated!

unreal128: everything you said struck a chord with me...especially on the security thing. I intend to 'try' and do a combination of SHA-256 for the whole process i.e. from Client to PHP and PHP to Db and back. Then in the Db use something else on top of SHA-256. I'll be amazed if that gets broken! All the customers financial data will be stored in Paypal but I just want to ensure that customer's personal data and user/pw's are secure on the target MySQL Db.

One big question I have regarding php....if I have a class or function (such as that generates a SHA-256 hash) where/how can I store it as some kind of global so that I don't have to reference the function in each .php script? Still getting to grips with php so sometimes I may be asking silly qu's!

I've been looking at the following link for the algorithm:

http://forums.devnetwork.net/viewtopic.php?t=31069

Thanks all

Dave

unreal128

dw89 wrote:
One big question I have regarding php....if I have a class or function (such as that generates a SHA-256 hash) where/how can I store it as some kind of global so that I don't have to reference the function in each .php script? Still getting to grips with php so sometimes I may be asking silly qu's!

Do you mean doing something other than...

require("containslibraryfunction.php");

libraryFunctionCall();

dw89

Ah, got you.....obvious I guess! Thanks🙂

tony_l

just a quick addition to unreals post - if you are using a mysql database to store your data - you want to use mysql_real_escape_string() when cleaning your data and not addslashes(). The old function - mysql_escape_string() did the same thing as addslashes, but they increased what it escaped, so now it is more effective.

Roger_Ramjet

A very good article, with working code, on using sessions for access control can be found here

One thing that no-one has mentioned is the MySQL Access Privilege system . Basically, your public web pages probably only need Read access to your database, and only to limited tables and columns at that. Create seperate user accounts that you use to connect to the db for other levels of access.

dw89

Tony: Thanks, I'd read about the mysql_real_escape_string function so I'll makje sure I use that. I'm sure I'll be bugging you about some info on SSL too at some stage! Thanks again

Roger: Thanks for the link...will read that in a mo. Regarding the sql access. I had intended to have two db layers in MySQL, one that holds the tables/triggers and another top level that has procedures (for insert/update/delete) and views of the other layer. That way I hope to restrict access to the base tables. Only thing I'm not 100% on is what user privs a user needs to execute the procedures in the top level so that they will actually affect the base tables in the lower level!

i.e. Db 'Test' has base tables and Db 'Apps' has views/procs.

I create user 'phpuser' to call procedures in Apps. 'phpuser' user has select, execute and show privs but I get errors on executing code in 'apps' that will update 'test' db tables.

What I'm trying to achieve is that even if someone were to gain access to the db they would not gain access to the level that matters i.e. the base 'test' db level where the tables are kept.....if that all makes sense!

Dave 🙂

tony_l

I see where you are going Dw89, It has been awhile since I messed with db users in that sense. I will look some stuff up and post it here once I find it - I think I saw an article on how to do exactly what you are doing.

As for SSL, I learned LOTS of lessons on that topic. Let me know when you want to talk about ssl.

unreal128

You might be able to help this guy then.
http://phpbuilder.com/board/showthread.php?t=10311191

btree

Hi ,

Try to use some similar tools , for example SmartDBVisualizer from this site :

http://www.smartvi.com