Questions about security

[The Praetorian]

I'm using a lot of php/sql stuff for my website, but very little of it actually involves forms. (The only forms I use are for email, so they're not connected to the database). How safe is the information on the sql database? Is it safe so long as I don't have any forms connected to the database?

[smiles]

dont have any form that allows viewer fill in ( they dont fill email but some code ) and the server implements itso I think you must eliminate what they filland one thing , your host must be good security

[Kristian_C]

I have about 100-200 forms on my website or more and i really aint so good to secure things Dont know how i can make it safer.. But this is more like forums/message systems/profiles/contacts +++ So its nothing a user can insert what ever he wants here and there... ->Kristian_C.

[boen_robot]

When there's interaction with a database, there's always risk. The thing is that you are secure when your checks are as boolean as possible. And when you have checks to begin with.If the input is directly used to check up the DB, then it's not secured.If it uses regular expression, security depends on how well the regular expression is.If an input is used in the query only on a certain hardcoded set of values, the form is most secured.

[Kristian_C]

Boolean? Its sometimes i get boolean errors or something named like that, what is that actually?->Kristian_C.

[boen_robot]

I'm not sure of the exact meaning, but it practically means "binary". A digit from the binary system that is.A binary digit is either 0 or 1. In machine's logic, this means "there's no electricity" or "there is electricity" respectively. In computer languages, this normally means "false" or "true" respectively.So what I mean by having boolean checks is that a check must have two possible outcomes of one case. A regular expression check may return true in one case and another one, but may also return true where it shouldn't, which is why it must be used with care, especially when dealing with sencetive data like usernames.On the other hand, a hardoded value may only return true in one case and false on everything else, but that's not exactly useful.For example

if($user == 'me')

will only return true if the $user is 'me'. There's no way to get more secure that that, but that's almost useless.

if(ereg('me|you',$user))

will return true only if the $user is 'me' or 'you'. More useful, still secured. However, hardcoding every possible vlaue like that can be very unefficient if you have... let's say 100+ possibilities. Not to mention impossible if you ask for something that can't be known in advance like email for instance.

[Kristian_C]

Okay, so its just to run checks on every thing, then its the safest it can be? ->Kristian_C.

[boen_robot]

Exactly. And limit the stuff only to what you know the application can handle. In other words: whitelist possibilities.

[Kristian_C]

Exactly. And limit the stuff only to what you know the application can handle. In other words: whitelist possibilities.

so etc :

if($_POST['login'] && $_POST['username'] && $_POST['password']){$username=$_POST['username'];$password=$_POST['password'];if(strlen($username =< 5) || strlen($username > 15)){echo"Invalid : Username";exit();}if(ereg('[^0-9^A-Za-z]', $username)){echo"Invalid : Username";exit();}$check=mysql_query("SELECT * FROM users WHERE username='$username'");$checkuser=mysql_num_rows($check);$checkpass=mysql_fetch_object($check);if($checkuser == 0){echo"No user with that name in the db";exit();}if($checkpass->password != $password){echo"Invalid : Password";exit();}if(ereg('[^0-9^A-Za-z]', $password)){echo"Invalid : Password";exit();}else{

------That whould then be safe? ->Kristian_C.

[boen_robot]

I would suggest that you reduce

if(strlen($username =< 5) || strlen($username > 15)){echo"Invalid : Username";exit();}if(ereg('[^0-9^A-Za-z]', $username)){echo"Invalid : Username";exit();}...if(ereg('[^0-9^A-Za-z]', $password)){echo"Invalid : Password";exit();}

to

if(ereg('[^0-9^A-Za-z]', $password) or ereg('^[0-9A-Za-z]{5,15}$', $username)){echo"Invalid username or passowrd";exit();}

And also reduce

if($checkuser == 0){echo"No user with that name in the db";exit();}if($checkpass->password != $password){echo"Invalid : Password";exit();}

to

if($checkuser == 0 or $checkpass->password !== $password){echo"Wrong username or password";exit();}

The reason is that attackers may try out different usernames and password combinations. If they know what they got right, they can only keep up guessing the other. Keeping the notification general means they'll need more time trying each username with every possible password.Btw, what passowrds exactly do you accept? It seems you have a very broad criteria. You accept every password as long as it begins with an alphanumeric character. This could be your downfall, scince everything else is uncontrollable. Try something like the username for example.

[Kristian_C]

Thanks ill remember that ..hehe, it was just a example my scripts aint like that at all actually ->Kristian_C.

[supertrucker]

Also, since I couldn't tell if you're doing so in your code or not already, you could encrypt your users passwords using MD5. Check it out on www.php.net and type md5 into the functions search box. That's what I use for encryping my users passwords, then you can use a simple check to see if a users password is correct, but their real password is actually an MD5 hash string stored in your database. Using MD5 for that sort of application is relatively easy.Peace,Supertrucker

[justsomeguy]

Boolean values are true/false, the name comes from computer scientist George Boole. Boolean logic or math is anything that deals with true/false values, such as equations using AND, OR, and NOT.The #1 thing with security and databases is the risk of SQL injection. Any of these are terribly unsecured:mysql_query("SELECT * FROM table WHERE id={$_GET['id']}");mysql_query("SELECT * FROM table WHERE id={$_POST['id']}");mysql_query("SELECT * FROM table WHERE id={$_REQUEST['id']}");mysql_query("SELECT * FROM table WHERE id={$_COOKIE['id']}");Data from the _GET, _POST, _REQUEST, and _COOKIE arrays should never (ever) (ever ever) be used directly in a SQL query. Do a Google search for "SQL injection" and read the wikipedia article to find out why. User-submitted data should always be transformed or cleaned before using it in a query. If the data is text or string data, then the function mysql_real_escape_string will clean it for you. If the data should be a number, then the intval function will clean integers and the floatval function will clean floating-point numbers.These same rules apply to other things such as files or system commands. You should never (ever) (ever ever) use user-submitted data directly into a command to delete a file, display a file, execute a system command, etc. If you are using user-submitted data for any of these tasks, then post your code and a URL of it running online and I'll show you exactly why that's a bad idea. Hosting scripts with these vulnerabilities on your web space is enough to get several hosts to suspend your account.