开发者

PHP : Techniques for making database and files secure

I am building a text sharing site where user will upload their text files.

I want to know what are the ways some one can attack my database and the tex开发者_Go百科t files stored on my server. And what are the ways to protect them.


  1. Make Sure you use PDO for database interaction (this will prevent you from Attacks Such as MySQL Injection).

  2. Use .htaccess to gain more control. (it is always good practice to hide Design structure of your application from public, you can try using more-rewrite to re-write your URL's, or using .htaccess you can deny permission for users to directly access the files. )

  3. Use Object Oriented Programming Object Oriented Programming was invented for a purpose make use of it.

  4. Make sure you use Design Pattern for your Application. Adopting design patterns by adhering to standards makes your site less vulnerable to attacks, there are various Design Patterns you can use with your application like, Singleton Pattern, MVC Pattern etc. While MVC is widely adopted and used by various PHP Frameworks.

  5. There are various PHP Frameworks available to take care of most of the things. it is of no use trying to re-invent the wheel. try using a framework, CakePHP is what i personally recommend, otherwise you can try Code Ignitor or Symfony as well.


BEST IDEA

I do have to suggest that you use some sort of framework for this. You will still need to work with some of the techniques below (file_get_contents and unlink, for example).

As to the frameworks:
CodeIgniter is very simple, Symfony is good as an intermediate one -- it combines with a real ORM system and YAML configuration gives it a much more robust feeling. Zend is by far the most powerful -- it has a library for everything (and it is so impressive that there are bindings to let you use CodeIgniter or Symfony with Zend's libraries). Of course, with great power comes great complexity (unless you're Peter Parker).

IF THAT ISN'T AN OPTION

Honestly, you're better off storing the file in the database than on the file system. readfile can be a major security risk (it does not have to be, but you actually have to worry about it), and you're already planning on incorporating a database anyway. Oh, and as an extra bonus, you can index the files so that you can allow legit searches.

Once you've used move_uploaded_file, then you should do $input = file_get_contents($tmp_fl_name); and then unlink($tmp_fl_name); to remove the file from the file system. Then, use the PDO to insert the data into the database. Then, when you insert into the database, make sure you use a PDOStatement with bindParams to prevent SQL injection.

It might look something like this:

$tmp_file = "/path/to/temps/tmp".microtime().".tmp";
move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $tmp_file);
$input = file_get_contents($tmp_file);
unlink($tmp_file);
$sth = $dbh->prepare('INSERT (:fl, NOW()) INTO USER_FILES');
$sth->bindParam(':fl', $input, PDO::PARAM_STR);
$sth->execute();


There's a great roundup at php.net/security

By the way, you have an ace name - is it your real name?


Use PDO http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/


I'd suggest using a MVC framework like CodeIgniter, Kohana or Zend Framework which automagically protects data inputted in the database and also runs XSS (Cross-Site-Scripting attacks) sanity checks on GET/POST data. Personally, I prefer CodeIgniter for its simplicity and low learning curve.

This, however, requires you to use each frameworks' specific database abstraction layer. In CodeIgniter this works roughly as follow:

$this->db->insert('tablename', array('text' => 'hey mom', 'user_ud' => $this->user->id)); $rows = $this->db->from('tablename')->where('user_id', $this->user->id)->get()

($this->user->id is fictional and does not exist in a vanilla installation)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜