|
użytkowników online: 65
|
OPINIE UŻYTKOWNIKÓW
|
Gratulacje i dzięki! Trafiłem tu przypadkiem poszukując informacji na temat php+mysql. Wiele polskich stron powiela identyczne przykłady, klonuje te same kursy i lekcje... ten serwis okazał sie inny. Zasada "problem - rozwiazanie - wyjaśnienie" zdaje egzamin - zapewnia jasną, jednoznaczną i pewną pomoc w konkretnym przypadku. Porady są warte swojej ceny, przede wszystkim ze względu na przyjazną (także dla początkujących) formę i treść oraz bogate i stale powiększane zasoby. Polecam i pozdrawiam!
Kamil Dmowski
Polski Czerwony Krzyż
|
|
PODRĘCZNIK PHP 5.x, 4.x, 3.x - częściowo spolszczony / źródło: www.php.net
[Spis]
[A]
[B]
[C]
[D]
[E]
[F]
[G]
[H]
[I]
[J]
[K]
[L]
[M]
[N]
[O]
[P]
[Q]
[R]
[S]
[T]
[U]
[V]
[X]
[W]
[Z]
Rozdział 27. Database Security
Nowadays, databases are cardinal components of any web based application by
enabling websites to provide varying dynamic content. Since very sensitive
or secret information can be stored in a database, you should strongly
consider protecting your databases.
To retrieve or to store any information you need to connect to the database,
send a legitimate query, fetch the result, and close the connection.
Nowadays, the commonly used query language in this interaction is the
Structured Query Language (SQL). See how an attacker can tamper with an SQL query.
As you can surmise, PHP cannot protect your database by itself. The
following sections aim to be an introduction into the very basics of how to
access and manipulate databases within PHP scripts.
Keep in mind this simple rule: defense in depth. The more places you
take action to increase the protection of your database, the less
probability of an attacker succeeding in exposing or abusing any stored
information. Good design of the database schema and the application
deals with your greatest fears.
The first step is always to create the database, unless you want to use
one from a third party. When a database is created, it is
assigned to an owner, who executed the creation statement. Usually, only
the owner (or a superuser) can do anything with the objects in that
database, and in order to allow other users to use it, privileges must be
granted.
Applications should never connect to the database as its owner or a
superuser, because these users can execute any query at will, for
example, modifying the schema (e.g. dropping tables) or deleting its
entire content.
You may create different database users for every aspect of your
application with very limited rights to database objects. The most
required privileges should be granted only, and avoid that the same user
can interact with the database in different use cases. This means that if
intruders gain access to your database using your applications credentials,
they can only effect as many changes as your application can.
You are encouraged not to implement all the business logic in the web
application (i.e. your script), instead do it in the database schema
using views, triggers or rules. If the system evolves, new ports will be
intended to open to the database, and you have to re-implement the logic
in each separate database client. Over and above, triggers can be used
to transparently and automatically handle fields, which often provides
insight when debugging problems with your application or tracing back
transactions.
User Contributed Notes30-Jun-2005 12:57
you can also chamge CHMOD for some file containing "user names" or "passwords"
webmaster at rackhouse dot net
12-Mar-2005 11:08
On a database design point of view, you should make sure that you design databases in a manor that any query run from them need minimal input from the user and if it requires user input, that you encrypt where possible.
jjahn at SPAMSUCKS dot signicast dot com
20-Jun-2003 07:17
I would say one of the best ways to guard against SQL injection is to use the excellent PEAR DB package. If you prepare() and execute() your queries, PEAR will automagically addslashes and handle the query depending on your RDBMS. And of course, for repeatable queries prepare and execute will give you a bit of a readability and speed increase.
|
