Database security for PHP
4 likes1,977 views
The document discusses database security measures for PHP applications, emphasizing the importance of designing databases with limited user privileges and secure connection methods like SSL and SSH. It highlights the need for encrypted storage to protect sensitive data and outlines prevention techniques against SQL injection attacks. Real-world security incidents are cited to illustrate the risks associated with poor database security practices.
Database security for PHP
- 1. Database Security for PHP Rohan Faye
- 8. Conclusion
- 9. Introduction Databases: cardinal components of any web based application
- 10. Provides varying dynamic content
- 11. Stores sensitive or secreat information
- 12. PHP cannot protect your database by itself
- 14. Designing databases Create the database
- 15. Grant the privileges in order to allow other users to use it
- 16. Applications should never connect to the database as its owner or a superuser
- 17. Stop intruders from gaining access by assigning limited rights to the database objects
- 18. Designing databases Avoid implementing all the log in the web application
- 19. Use views, triggers or rules Transparency
- 21. Provides insight when debugging problems
- 22. Ability to trace back transactions
- 23. Connecting to database Establish connections over SSL to encrypt client/server communications for increased security
- 24. Use SSH to encrypt the network connection between clients and the database server
- 25. If either of these is used, for a would-be attacker, it will be: Difficult to gain information about your database
- 26. Encrypted storage model SSL/SSH Protects data travelling from client to server
- 27. Does not protect persistent data If attacker gains access, sensitive data can be misused
- 28. Encrypting the data is a good way to mitigate this threat
- 29. Encrypted storage model Create your own encryption package to use it from within your PHP script
- 30. PHP assists you with several extensions like Mcrypt and Mhash
- 31. Script encrypts the data before inserting it into the database, and decrypts it while retrieving
- 32. If raw representation of data is not needed, then can rely upon hashing e.g. crypt() and MD5()
- 33. Before moving further... Real world examples of some major incidents due to a security flaw...
- 34. Incident 1 Date: November 1, 2005
- 35. Attacker: A high school student
- 36. Victim: Taiwanese Information Security magazine's site
- 37. Incident 2 Date: March 29, 2006
- 38. Discovered by: Susam Pal (Security expert)
- 39. Victim: Official Indian government tourism site
- 40. Incident 3 Date: July 19, 2008
- 41. Attacker: m0sted and Amen (Turkish hackers)
- 42. Victim: Kaspersky's malaysian website
- 43. Incident 4 Date: January 20, 2009
- 44. Attacker: Albert Gonzalez and two unnamed Russians
- 45. Victim: Heartland Payment Systems
- 46. Incident 5 Date: October 10, 2009
- 47. Attacker: A turkish crew
- 48. Victim: Federal Bureau of Investigation job site
- 49. Incident 6 Date: December 4, 2009
- 51. Victim: RockYou!
- 52. And many more... All of these incidents comprised a common technique of attack... “ SQL ”
- 53. SQL injection A SQL query is: Not always a trusted command
- 54. Can bypass standard authentication and authorization checks
- 55. May allow access to host operating system level commands
- 56. Direct SQL Command Injection A technique where an attacker can create or alter existing SQL commands to expose hidden data
- 57. Can execute dangerous system level commands on the database host
- 58. Accomplished by the application taking user input and combinig it with static parameters to bulid a SQL query
- 59. Avoiding techniques Never connect to the databse as a superuser or a database owner
- 60. Validate the input – PHP has a wide range of input validating functions
- 61. Perl compatible Regular Expressions support
- 62. Quote each non-numeric user supplied value passed to the databse using database specific string escape function
- 63. Avoiding techniques Do not print out any database specific information by fair means or foul
- 64. Take benifit from logging queries either within your script or by the database itself, if it supports logging Unable to prevent any harmful attempt
- 65. Can be helpful to trace back which application has been circumvented
- 66. Conclusion “A good PHP application doesn't mean to be good looking. It simply wants to be safe...”
- 67. Thank you <?php $references = array( 'The PHP manual', 'Guide to PHP Security', 'Wikipedia', ); ?>