Solved

Injections and SEcurity

Posted on 2015-01-26
8
52 Views
Last Modified: 2015-01-30
Hi Experts,

This is just to summarize http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/Q_28597002.html

Basically, if I use PDO with Parametrized queries, will it be safe to assume that I am protected against injections and other security breaches?

As well, do using stored procedures help, hurt, or all the same?

Thank you
0
Comment
Question by:APD_Toronto
  • 4
  • 3
8 Comments
 
LVL 32

Assisted Solution

by:Daniel Wilson
Daniel Wilson earned 100 total points
ID: 40571542
Injections, yes.

Other security breaches, nothing seems ever safe to assume. :(
0
 

Author Comment

by:APD_Toronto
ID: 40571589
What other security breaches are there?
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 40571673
What other security breaches are there?
This is a hard question to answer, so I'm going to recommend that you not ask it.  Let me explain...

The security field is constantly morphing in response to changing attacks and threats.  If you want to try to stay up-to-date, join OWASP and become active in the community.  If that seems like a lot of work, you can subscribe to their blogs and feeds.

PHP has its own Security Section.

Now to this question you should not ask... The reason this is a bad question is that it puts you on the defensive, constantly trying to defend against the morphing threats.  A better way to think about the problem is to ask, "What are the acceptable known good values that I am willing to let others inject into my database?"  If you filter all external input with rules that will only pass acceptable values, you will be fine.  Expect an integer?  Check to see if the input looks like an integer!  PHP provides a collection of filters, and you can write your own, too.  I would recommend a hard-and-fast programming practice that filtered every external input without exception.  If any of the external inputs fail the filter, discard the external input!  (You can do this nicely with messages to the client).  Test your filters with an automated testing tool like PHPUnit.  And be mindful of edge cases.

There's a QA joke that goes like this.  A QA engineer walks into a bar.  Orders a beer.  Orders 2 beers.  Orders -17 beers.  Orders the square root of -1 beers.  Orders  2^31-1 beers.  Orders a slevischik...  If your bartender has a good sense of what beer orders can be filled, you'll never have problems handling the occasional tough customer.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:APD_Toronto
ID: 40571700
As well, do using stored procedures help, hurt, or all the same?
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 40571711
Stored procedures can help, inasmuch as there is a reduced risk that your filtering strategy was faulty.  But mostly all the SP does for you is encapsulate a process.  If the process is sturdy and secure, you'll be fine with the outcomes whether or not you use stored procedures.  Some of the advantages are summarized here:
https://answers.yahoo.com/question/index;_ylt=AwrB89Nt2cZU71EAAQ5PmolQ?qid=20090611034518AAM5Evu

How many programmers are working on the project?  Are any of them security risks?
0
 

Author Comment

by:APD_Toronto
ID: 40573048
Just me
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 400 total points
ID: 40573991
That's good, because you can be 100% "trusted" with your own queries.  If there are novice programmers helping you, who need to use queries and you do not want them to do something goofy, the stored procedure path is potentially helpful.  There may also be some modest performance advantages, since the server does not have to recompile the queries.
0
 

Author Closing Comment

by:APD_Toronto
ID: 40580163
Thank you both.

Sorry for my inconsistent replies, it have been very hectic time for me.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Does the idea of dealing with bits scare or confuse you? Does it seem like a waste of time in an age where we all have terabytes of storage? If so, you're missing out on one of the core tools in every professional programmer's toolbox. Learn how to …
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question