Solved

Injections and SEcurity

Posted on 2015-01-26
8
56 Views
Last Modified: 2015-01-30
Hi Experts,

This is just to summarize http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/Q_28597002.html

Basically, if I use PDO with Parametrized queries, will it be safe to assume that I am protected against injections and other security breaches?

As well, do using stored procedures help, hurt, or all the same?

Thank you
0
Comment
Question by:APD_Toronto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 32

Assisted Solution

by:Daniel Wilson
Daniel Wilson earned 100 total points
ID: 40571542
Injections, yes.

Other security breaches, nothing seems ever safe to assume. :(
0
 

Author Comment

by:APD_Toronto
ID: 40571589
What other security breaches are there?
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40571673
What other security breaches are there?
This is a hard question to answer, so I'm going to recommend that you not ask it.  Let me explain...

The security field is constantly morphing in response to changing attacks and threats.  If you want to try to stay up-to-date, join OWASP and become active in the community.  If that seems like a lot of work, you can subscribe to their blogs and feeds.

PHP has its own Security Section.

Now to this question you should not ask... The reason this is a bad question is that it puts you on the defensive, constantly trying to defend against the morphing threats.  A better way to think about the problem is to ask, "What are the acceptable known good values that I am willing to let others inject into my database?"  If you filter all external input with rules that will only pass acceptable values, you will be fine.  Expect an integer?  Check to see if the input looks like an integer!  PHP provides a collection of filters, and you can write your own, too.  I would recommend a hard-and-fast programming practice that filtered every external input without exception.  If any of the external inputs fail the filter, discard the external input!  (You can do this nicely with messages to the client).  Test your filters with an automated testing tool like PHPUnit.  And be mindful of edge cases.

There's a QA joke that goes like this.  A QA engineer walks into a bar.  Orders a beer.  Orders 2 beers.  Orders -17 beers.  Orders the square root of -1 beers.  Orders  2^31-1 beers.  Orders a slevischik...  If your bartender has a good sense of what beer orders can be filled, you'll never have problems handling the occasional tough customer.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:APD_Toronto
ID: 40571700
As well, do using stored procedures help, hurt, or all the same?
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40571711
Stored procedures can help, inasmuch as there is a reduced risk that your filtering strategy was faulty.  But mostly all the SP does for you is encapsulate a process.  If the process is sturdy and secure, you'll be fine with the outcomes whether or not you use stored procedures.  Some of the advantages are summarized here:
https://answers.yahoo.com/question/index;_ylt=AwrB89Nt2cZU71EAAQ5PmolQ?qid=20090611034518AAM5Evu

How many programmers are working on the project?  Are any of them security risks?
0
 

Author Comment

by:APD_Toronto
ID: 40573048
Just me
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 400 total points
ID: 40573991
That's good, because you can be 100% "trusted" with your own queries.  If there are novice programmers helping you, who need to use queries and you do not want them to do something goofy, the stored procedure path is potentially helpful.  There may also be some modest performance advantages, since the server does not have to recompile the queries.
0
 

Author Closing Comment

by:APD_Toronto
ID: 40580163
Thank you both.

Sorry for my inconsistent replies, it have been very hectic time for me.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question