Women in Technology

Hear us Roar



Article:
  The Practicality of OO PHP
Subject:   Security Concerns
Date:   2005-08-02 10:20:23
From:   rmartin
There are some key security flaws with this database example used here, that unless you take some strong precautions you'll be in a lot of trouble.
The example doesn't specially have a connection function (might have been left out for simplicity) but the reader might assume that its ok to put the mysql_connect method and all the password/login in the DataExtraction() (or in __construct() for php5). This is terrible because assuming common setup, I can simply
include 'http://www.yoursite.com/databaseextraction.php';
get_class_methods($this);

and then call your function. Even worse, I can now execute any SQL command I want considering the nature of mysql_query.
There are something’s that you can do to prevent this from happening, like:


1. Setup PHP to run as CGI and disable all read permissions http://us2.php.net/manual/en/security.cgi-bin.php


2. Ensure that you setup a SQL user that only has select permissions if that is all that user is going to be doing, and limit the views. Also, if the SQL server is going to be running on the same server lock the user access to the localhost http://dev.mysql.com/doc/mysql/en/user-resources.html


3. Use a separate connect function that stores the username and password outside of the main database class.


To you credit David, I understand that this is not a discussion on security nor do you make a claim this is how you should do it, but I just feel that it is important especially when creating tutorials for beginners that you pay class attention to security issues like this. More available at http://us2.php.net/manual/en/security.database.php



Thanks,
Roy
www.roy-martin.com

Main Topics Oldest First

Showing messages 1 through 3 of 3.

  • Security Concerns
    2005-08-11 01:06:17  polarizer [View]

    >include 'http://www.yoursite.com/>databaseextraction.php';
    >get_class_methods($this);

    How can this work? The script will not be delivered in plain text, but will be interpreted. In case of class-files there is usally no output, cause no stuff is invoked in it.

    Please explain.
  • Security Concerns
    2005-08-11 01:05:41  polarizer [View]

    >include 'http://www.yoursite.com/>databaseextraction.php';
    >get_class_methods($this);

    How can this work? The script will not be delivered in plain text, but will be interpreted. In case of class-files there is usally no output, cause no stuff is invoked in it.

    Please explain.
  • Security Concerns
    2005-08-02 13:28:43  mr_peanut [View]

    Hello Roy,

    Thanks for your comment. As you said, this wouldn't be very wise to include the username/password information in the DataExtraction class. My examples, however, do in fact use a seperate class to store the username and password information (not to mention all MySQL functions). Though, I could be further secured by including those additional MySQL functions in yet a third file; however, I was striving for some sort of simplicity as you mentioned, so people could get the general idea behind the benefits of OO PHP).

    There is actually a zip file full of support files that go along with this article which I thought was available, but I am guessing it never posted. I will try to get them up as soon as possible so users can see there is more than just the one file involved (dataextractionclass.php).

    I appreciate your insight to security issues--they are always important, even for the smallest of sites. (For example, just recently a fellow PHP'er contacted me and told me about his troubles from someone who hacked his PHP forms and sent out 80,000 e-mails. And keep in mind his site wasn't used by more than 15 to 30 users.)

    In any case, this article's purpose is to be a stepping stone into the world of OO PHP, showing the benefits of using it. However, I still welcome and encourage constructive criticism, even if the criticism does not pertain to the scope of the article, because it could help answer questions or concerns of the reader. So, thanks again for your input! :-)

    Cheers,
    David