Longhorn PHP 2019 Schedule

湖北工商公式:Database Security

Table of Contents

湖北十一选五官网 www.na503.cn Nowadays, databases are cardinal components of any web based application by enabling websites to provide varying dynamic content. Since very sensitive or secret information can be stored in a database, you should strongly consider protecting your databases.

To retrieve or to store any information you need to connect to the database, send a legitimate query, fetch the result, and close the connection. Nowadays, the commonly used query language in this interaction is the Structured Query Language (SQL). See how an attacker can tamper with an SQL query.

As you can surmise, PHP cannot protect your database by itself. The following sections aim to be an introduction into the very basics of how to access and manipulate databases within PHP scripts.

Keep in mind this simple rule: defense in depth. The more places you take action to increase the protection of your database, the less probability of an attacker succeeding in exposing or abusing any stored information. Good design of the database schema and the application deals with your greatest fears.

add a note add a note

User Contributed Notes 4 notes

up
-6
x12code at yahoo dot com
11 years ago
About offloading business logic to views and queries facilitated by the database engine, I seek to avoid this as much as possible, and only do so when such would drastically improve efficiency and user response time.

For instance, where I am there is database staff and application staff. Trying to do analysis on existent applications can easily become a snipe hunt.

The database should be kept discreet as much as possible from the application, such that any database or database provider can easily be substituted with a minimum of cognitive effort on the part of the one setting up a new database. If functionality has been offloaded to the database, additional testing is required to make sure triggers and views were done correctly, again, and that they work right.

Also, keeping all business logic with the application allows all functionality and documentation to be readable in one place, which is invaluable when doing subsequent analysis on an existing application. The worst thing is to have functionality scattered here and there.

Keeping everything with the application means one group of people is responsible, as in my case, application staff. Fewer requests go back and forth. Remember, anytime someone else is brought into the picture, such as asking a DBA to create a view or trigger for you, that DBA must take responsibility over his or her work, with whatever requirements, causing more bureaucracy and administrative complexity.
up
-25
Chris Travers
6 years ago
Regarding where to put logic, it's really best not to be dogmatic about this.  Putting logic in the db can have some security advantages but it has other security gotchas (for example, SQL injection inside a stored procedure may be possible in some environments).  Similarly it can have some portability advantages and disadvantages.

The real question is that you want to ask what you want to be portable.  If you put it in the db, it becomes easier to integrate programs written in different development environments with a minimum of security gotchas.  If you put it in the application, then you have to create the interfaces on that level in middleware.  Both approaches are doable.  On the other hand if you are writing software you want to be deployable in MS SQL shops and Oracle shops, then you have to write portable SQL (avoiding gotchas) and put the logic in the application.

When we started rewriting the LedgerSMB codebase, we decided to move logic into the db because this would make it easier to retrofit security onto a very insecure codebase (by not trusting the application), and because we wanted to support languages other than Perl.  A few years later this is bearing fruit and indeed I am reading the manual because I am writing integration libraries in PHP.  I am not much of a PHP guy (I haven't programmed PHP since PHP 4.x) but I can write modules that let folks write code to interface securely with LedgerSMB's database logic.  You can think of the stored procedures as being named queries which are shared between applications, or as API's to the database.  But again, this approach is not universally applicable.

If portability between db's is not a major requirement, then I think the best approach is to do as much as possible in SQL queries and put those in the database.  A couple hundred lines of SQL can replace a couple thousand lines in Perl or PHP, and is fundamentally easier to debug.  Of course that won't work for everyone.
up
-37
Anonymous
13 years ago
you can also chamge CHMOD for some file containing "user names" or "passwords"
up
-40
Dave Martin
11 years ago
The posting below is at the very best extremely POV.

There is no more reason to assume you would want to change database vendor than there is to assume you might want to port your php code to Java for example. In either case, its going to be a matter of luck where your business rules sit.

Even if your business rules sit in your application, SQL is NOT portable. Oracle outer joins and pivot queries for example, can look completely different to those in other vendors software (particularly from 8i or lower). This fact alone means that changing your DB vendor requires work on your business rules either in the database or in the application.

Having your rules in the database and keeping the sql in application simple, will at least keep the work in the database if you need to change DB vendor. If you have the rules in the PHP, you'll have to change both.
To Top
  • 股票买卖中不可忽略的大宗交易数据(上) 2019-02-19
  • "央企暖男"与108名抗战老兵:向他们致以年轻一代的敬意 2019-02-19
  • 学生补课累到不行 网友:节假日都不休息 2019-02-19
  • 世界杯期间夜猫子吃什么好 这是有讲究的 2019-02-19
  • 一切腐败分子和一切为钱的各种违法犯罪高发:1、不是来自从无偿占有一个鸡蛋私心开始,而是从私有制社会存开始,因为占有他人一个鸡蛋的私有观念欲望,是从社会存在产生派 2019-02-18
  • 推进58个重点项目 杭州加快钱塘江金融港湾建设 2019-02-18
  • 高清:C罗帽子戏法科斯塔梅开二度 葡萄牙3 2019-02-18
  • 美国再挑贸易战,中方强力回击,全球市场跌声一片 2019-02-17
  • 内政部长威胁“单飞”,联盟党闹分裂,默克尔或下台? 2019-02-17
  • 看来“无名小卒也”这样的网民在公有制企业里有一大批,那么公有制企业一定会发展的快,搞的好,呵呵。 2019-02-17
  • 视频:太原蒙山景区举办首届蒙山春节庙会 2019-02-16
  • 习近平会见美国国务卿蓬佩奥 2019-02-16
  • [酷]中国天翻地复的变化确实惊人 2019-02-15
  • 王烜:当心单边主义在全球圈粉 2019-02-15
  • 端午假期虎门大桥最易拥堵 2019-02-15
  • 531| 861| 103| 394| 226| 285| 688| 702| 127| 441|