Solved

Injections and SEcurity

Posted on 2015-01-26
8
54 Views
Last Modified: 2015-01-30
Hi Experts,

This is just to summarize http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/Q_28597002.html

Basically, if I use PDO with Parametrized queries, will it be safe to assume that I am protected against injections and other security breaches?

As well, do using stored procedures help, hurt, or all the same?

Thank you
0
Comment
Question by:APD_Toronto
  • 4
  • 3
8 Comments
 
LVL 32

Assisted Solution

by:Daniel Wilson
Daniel Wilson earned 100 total points
ID: 40571542
Injections, yes.

Other security breaches, nothing seems ever safe to assume. :(
0
 

Author Comment

by:APD_Toronto
ID: 40571589
What other security breaches are there?
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40571673
What other security breaches are there?
This is a hard question to answer, so I'm going to recommend that you not ask it.  Let me explain...

The security field is constantly morphing in response to changing attacks and threats.  If you want to try to stay up-to-date, join OWASP and become active in the community.  If that seems like a lot of work, you can subscribe to their blogs and feeds.

PHP has its own Security Section.

Now to this question you should not ask... The reason this is a bad question is that it puts you on the defensive, constantly trying to defend against the morphing threats.  A better way to think about the problem is to ask, "What are the acceptable known good values that I am willing to let others inject into my database?"  If you filter all external input with rules that will only pass acceptable values, you will be fine.  Expect an integer?  Check to see if the input looks like an integer!  PHP provides a collection of filters, and you can write your own, too.  I would recommend a hard-and-fast programming practice that filtered every external input without exception.  If any of the external inputs fail the filter, discard the external input!  (You can do this nicely with messages to the client).  Test your filters with an automated testing tool like PHPUnit.  And be mindful of edge cases.

There's a QA joke that goes like this.  A QA engineer walks into a bar.  Orders a beer.  Orders 2 beers.  Orders -17 beers.  Orders the square root of -1 beers.  Orders  2^31-1 beers.  Orders a slevischik...  If your bartender has a good sense of what beer orders can be filled, you'll never have problems handling the occasional tough customer.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:APD_Toronto
ID: 40571700
As well, do using stored procedures help, hurt, or all the same?
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40571711
Stored procedures can help, inasmuch as there is a reduced risk that your filtering strategy was faulty.  But mostly all the SP does for you is encapsulate a process.  If the process is sturdy and secure, you'll be fine with the outcomes whether or not you use stored procedures.  Some of the advantages are summarized here:
https://answers.yahoo.com/question/index;_ylt=AwrB89Nt2cZU71EAAQ5PmolQ?qid=20090611034518AAM5Evu

How many programmers are working on the project?  Are any of them security risks?
0
 

Author Comment

by:APD_Toronto
ID: 40573048
Just me
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 400 total points
ID: 40573991
That's good, because you can be 100% "trusted" with your own queries.  If there are novice programmers helping you, who need to use queries and you do not want them to do something goofy, the stored procedure path is potentially helpful.  There may also be some modest performance advantages, since the server does not have to recompile the queries.
0
 

Author Closing Comment

by:APD_Toronto
ID: 40580163
Thank you both.

Sorry for my inconsistent replies, it have been very hectic time for me.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question