?
Solved

Injections and SEcurity

Posted on 2015-01-26
8
Medium Priority
?
63 Views
Last Modified: 2015-01-30
Hi Experts,

This is just to summarize http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/Q_28597002.html

Basically, if I use PDO with Parametrized queries, will it be safe to assume that I am protected against injections and other security breaches?

As well, do using stored procedures help, hurt, or all the same?

Thank you
0
Comment
Question by:APD Toronto
  • 4
  • 3
8 Comments
 
LVL 32

Assisted Solution

by:Daniel Wilson
Daniel Wilson earned 400 total points
ID: 40571542
Injections, yes.

Other security breaches, nothing seems ever safe to assume. :(
0
 

Author Comment

by:APD Toronto
ID: 40571589
What other security breaches are there?
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40571673
What other security breaches are there?
This is a hard question to answer, so I'm going to recommend that you not ask it.  Let me explain...

The security field is constantly morphing in response to changing attacks and threats.  If you want to try to stay up-to-date, join OWASP and become active in the community.  If that seems like a lot of work, you can subscribe to their blogs and feeds.

PHP has its own Security Section.

Now to this question you should not ask... The reason this is a bad question is that it puts you on the defensive, constantly trying to defend against the morphing threats.  A better way to think about the problem is to ask, "What are the acceptable known good values that I am willing to let others inject into my database?"  If you filter all external input with rules that will only pass acceptable values, you will be fine.  Expect an integer?  Check to see if the input looks like an integer!  PHP provides a collection of filters, and you can write your own, too.  I would recommend a hard-and-fast programming practice that filtered every external input without exception.  If any of the external inputs fail the filter, discard the external input!  (You can do this nicely with messages to the client).  Test your filters with an automated testing tool like PHPUnit.  And be mindful of edge cases.

There's a QA joke that goes like this.  A QA engineer walks into a bar.  Orders a beer.  Orders 2 beers.  Orders -17 beers.  Orders the square root of -1 beers.  Orders  2^31-1 beers.  Orders a slevischik...  If your bartender has a good sense of what beer orders can be filled, you'll never have problems handling the occasional tough customer.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:APD Toronto
ID: 40571700
As well, do using stored procedures help, hurt, or all the same?
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40571711
Stored procedures can help, inasmuch as there is a reduced risk that your filtering strategy was faulty.  But mostly all the SP does for you is encapsulate a process.  If the process is sturdy and secure, you'll be fine with the outcomes whether or not you use stored procedures.  Some of the advantages are summarized here:
https://answers.yahoo.com/question/index;_ylt=AwrB89Nt2cZU71EAAQ5PmolQ?qid=20090611034518AAM5Evu

How many programmers are working on the project?  Are any of them security risks?
0
 

Author Comment

by:APD Toronto
ID: 40573048
Just me
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 1600 total points
ID: 40573991
That's good, because you can be 100% "trusted" with your own queries.  If there are novice programmers helping you, who need to use queries and you do not want them to do something goofy, the stored procedure path is potentially helpful.  There may also be some modest performance advantages, since the server does not have to recompile the queries.
0
 

Author Closing Comment

by:APD Toronto
ID: 40580163
Thank you both.

Sorry for my inconsistent replies, it have been very hectic time for me.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This post looks at MongoDB and MySQL, and covers high-level MongoDB strengths, weaknesses, features, and uses from the perspective of an SQL user.
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question