Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Injections and SEcurity

Posted on 2015-01-26
8
Medium Priority
?
60 Views
Last Modified: 2015-01-30
Hi Experts,

This is just to summarize http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/Q_28597002.html

Basically, if I use PDO with Parametrized queries, will it be safe to assume that I am protected against injections and other security breaches?

As well, do using stored procedures help, hurt, or all the same?

Thank you
0
Comment
Question by:APD_Toronto
  • 4
  • 3
8 Comments
 
LVL 32

Assisted Solution

by:Daniel Wilson
Daniel Wilson earned 400 total points
ID: 40571542
Injections, yes.

Other security breaches, nothing seems ever safe to assume. :(
0
 

Author Comment

by:APD_Toronto
ID: 40571589
What other security breaches are there?
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40571673
What other security breaches are there?
This is a hard question to answer, so I'm going to recommend that you not ask it.  Let me explain...

The security field is constantly morphing in response to changing attacks and threats.  If you want to try to stay up-to-date, join OWASP and become active in the community.  If that seems like a lot of work, you can subscribe to their blogs and feeds.

PHP has its own Security Section.

Now to this question you should not ask... The reason this is a bad question is that it puts you on the defensive, constantly trying to defend against the morphing threats.  A better way to think about the problem is to ask, "What are the acceptable known good values that I am willing to let others inject into my database?"  If you filter all external input with rules that will only pass acceptable values, you will be fine.  Expect an integer?  Check to see if the input looks like an integer!  PHP provides a collection of filters, and you can write your own, too.  I would recommend a hard-and-fast programming practice that filtered every external input without exception.  If any of the external inputs fail the filter, discard the external input!  (You can do this nicely with messages to the client).  Test your filters with an automated testing tool like PHPUnit.  And be mindful of edge cases.

There's a QA joke that goes like this.  A QA engineer walks into a bar.  Orders a beer.  Orders 2 beers.  Orders -17 beers.  Orders the square root of -1 beers.  Orders  2^31-1 beers.  Orders a slevischik...  If your bartender has a good sense of what beer orders can be filled, you'll never have problems handling the occasional tough customer.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 

Author Comment

by:APD_Toronto
ID: 40571700
As well, do using stored procedures help, hurt, or all the same?
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40571711
Stored procedures can help, inasmuch as there is a reduced risk that your filtering strategy was faulty.  But mostly all the SP does for you is encapsulate a process.  If the process is sturdy and secure, you'll be fine with the outcomes whether or not you use stored procedures.  Some of the advantages are summarized here:
https://answers.yahoo.com/question/index;_ylt=AwrB89Nt2cZU71EAAQ5PmolQ?qid=20090611034518AAM5Evu

How many programmers are working on the project?  Are any of them security risks?
0
 

Author Comment

by:APD_Toronto
ID: 40573048
Just me
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 1600 total points
ID: 40573991
That's good, because you can be 100% "trusted" with your own queries.  If there are novice programmers helping you, who need to use queries and you do not want them to do something goofy, the stored procedure path is potentially helpful.  There may also be some modest performance advantages, since the server does not have to recompile the queries.
0
 

Author Closing Comment

by:APD_Toronto
ID: 40580163
Thank you both.

Sorry for my inconsistent replies, it have been very hectic time for me.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This post looks at MongoDB and MySQL, and covers high-level MongoDB strengths, weaknesses, features, and uses from the perspective of an SQL user.
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question