Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts

    mysql security/injection prevention

    Hi,

    I am curious as to some of your security methods to prevent deletion commands etc being entered via your forms/params.

    Do you use the same db connection/account for all your scripts or do you use one which has deletion/alter etc disabled and then use another (with deletion etc allowed), when such actions are necessary? If so, I would imagine you make those scripts mega secure with param checking regex's etc?

    That's the direction I am thinking I should go and just wonder what you think.


    I have had privileges disabled but one of my scripts needs them enabled (alebit behind the cms login) and I don't want this to weaken the security.
    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • #2
    Super Moderator
    Join Date
    May 2005
    Location
    Southern tip of Silicon Valley
    Posts
    2,871
    Thanks
    2
    Thanked 164 Times in 159 Posts
    Each approach has its merits, but I almost always use a single user with the required rights rather than multiple users with varying rights.

    You should always be diligent, in every script, about testing user supplied info to verify that it contains what you expect and nothing more even when the script only does select statements.

  • #3
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    Thanks FishMonger.

    I understand what you say but I wondered if disabling 'delete' from the privileges would be a sure way to prevent an injection deleting my whole db. Then I realised that one script had to be able to delete and so, I wondered if a specific account for that script might be a good way to go where that script had a 'bells and whistles' approach to checking form and param inputs.

    of course, since you imparted your wisdom, (that's not meant to sound sarcastic at all!), I see I need to brush up on O'Reilly and their regex's.

    I'll ponder it for a while as I pull together a whole load of 'loose ends'. (or strings lol )to get this project done.

    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •