sql injections/best practises

--0-666255837-1226077282=:60157
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

I'm am trying to find some definitive best practises on database connection=
s with php on both mysql and oracle.=20
=A0
I'm starting to redesign a corporate website and am trying to find out more=
about security and the best practises for database queries and user input =
form handling.
=A0
For example -=A0what's the best usage - prepared statements? And does it ha=
ve to be php 5? I need preferably a one stop shop as opposed to looking at =
dozens of different places. Can you advise a particular book? Website?
=A0
I have checked out the security area on the php manual and some users notes=
- some were useful.=A0But it didnt really have a lot of info and I dont th=
ink it is comprehenive or all inclusive.
=A0
Thanks in advance. PS I would like to switch the current site from jsp to p=
hp. I was going to look into Zend IDE. Comments? Suggestions?
=A0
thanks =0A
--0-666255837-1226077282=:60157--

Re: sql injections/best practises

mignon hunter wrote:
> I'm am trying to find some definitive best practises on database connections with php on both mysql and oracle.
>
> I'm starting to redesign a corporate website and am trying to find out more about security and the best practises for database queries and user input form handling.
>
> For example - what's the best usage - prepared statements? And does it have to be php 5? I need preferably a one stop shop as opposed to looking at dozens of different places. Can you advise a particular book? Website?
>
> I have checked out the security area on the php manual and some users notes - some were useful. But it didnt really have a lot of info and I dont think it is comprehenive or all inclusive.
>
> Thanks in advance. PS I would like to switch the current site from jsp to php. I was going to look into Zend IDE. Comments? Suggestions?
>
> thanks


PHP 5.2 is the way to go for new projects: PHP 4 isn't being
maintained.

Binding/preparing statements is the way to go. Here are quotes about
them with MySQL & Oracle

"They are useful for speeding up execution when you are performing
large numbers of the same query with different data. They also
protect against SQL injection-style attacks." (From "PHP and
MySQL Web Development", 4th Edition, Luke Welling and Laura
Thomson)

"If I were to write a book about how to build nonscalable [note
the NON] Oracle applications, then 'Don't Use Bind Variables'
would be the title of the first and last chapters. [...] If you
want to make Oracle run slowly [...] just refuse to use bind
variables" (From "Expert Oracle Database Architecture", Tom Kyte)

Depending on the site needs, consider a DB abstraction layer or a
framework.

For high performance connections in PHP OCI8 for Oracle, use
oci_pconnect() and pass the character set.

There are a number of Oracle-PHP books available. One free,
introductory one is the "Underground PHP & Oracle Manual",
http://tinyurl.com/f8jad (A new edition will be released in the next
couple of weeks)

Chris

--
Email: christopher.jones@oracle.com Tel: +1 650 506 8630
Twitter: http://twitter.com/ghrd Free PHP Book: http://tinyurl.com/f8jad

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: sql injections/best practises

On Fri, Nov 7, 2008 at 3:39 PM, Christopher Jones
wrote:
>
> mignon hunter wrote:
>> I'm am trying to find some definitive best practises on database
>> connections with php on both mysql and oracle.

Most security issues come back to a simple concept. Assume anything
in your scripts that is not a constant or literal to be a threat.
That means any and all user submitted data is a potential attack.
Ideally you should also assume that any and all data read in from the
database or files is a potential attack. Assume everything is
"tainted". Your job then is to "clean" any and all input through
inspection and filtering before you use it.

I recommend the book "Essential PHP Security" by Chris Shiflett (ISBN
0-596-00656-X). It deals with database security and more.

I would be happy to go into more detail on this or provide examples if
it would be helpful.


>> For example - what's the best usage - prepared statements? And does it
>> have to be php 5? I need preferably a one stop shop as opposed to looking at
>> dozens of different places. Can you advise a particular book? Website?

Prepared statements will prevent SQL injection, but that is only one
potential vector for attack. Keep in mind too that prepared
statements are not necessary to prevent SQL injection and they aren't
always the most appropriate way to do it. That said, they are the
simplest way to protect your database.

I'll outline a way that a database was used to attack an application.
The attack wasn't particularly dangerous, but it was embarrassing for
the company involved. In this case, the application took form input
from a site visitor and saved it in the database. Then the site owner
could retrieve the input and view it. Unfortunately, some visitors
decided to put