Webmaster forum - First site: What do I need to secure database?

Author

First site: What do I need to secure database?

varois83

2005-01-23, 7:20 pm

Hi

I am in the process of creating a website to practice my modest
HTML,CSS and PHP skills.
All the CSS and html is up and have started working on PHP. I am 75%
done creating a guestbook, pretty much working on validation and it
will be ready.
My webhost uses CPANEL and Mysql, what are the things I need to make
sure of to prevent hackers from messing up my database?
Thanks a lot for your help

Patrick

Matt Probert

2005-01-23, 7:20 pm

Once upon a time, far far away, the king summoned "varois83"
<varois83@netzero.net> who replied:

>Hi
>
>I am in the process of creating a website to practice my modest
>HTML,CSS and PHP skills.
>All the CSS and html is up and have started working on PHP. I am 75%
>done creating a guestbook, pretty much working on validation and it
>will be ready.
>My webhost uses CPANEL and Mysql, what are the things I need to make
>sure of to prevent hackers from messing up my database?
>Thanks a lot for your help
>
>Patrick
>

Bear in mind that the ONLY way to prevent a hacker accessing and
"messing up" your database is to store the hard drive, disconnected,
in a vault at a reputable bank.

In the real world, ANY system can be hacked. Perhaps in your case the
best idea would be to have a reliable copy of the database (a
"backup") stored offline, which could then be used to quickly repair
any damage inflicted, should an attack take place.

Matt

--
Free, high quality content for web sites. See
http://www.probertencyclopaedia.com/xcont.htm

William Tasso

2005-01-23, 7:20 pm

Matt Probert wrote:
> ...
> reputable bank.

eeek - two oxymorons in one day :)

/goes back to work

--
William Tasso

varois83

2005-01-23, 7:20 pm

Hi

Ok thanks maybe I should rephrase that original post:

What simple things do I have to do to prevent stupid things to happened
to my database ? I understand that real hackers penetrating sites like
nasa I will not worry about as they won't care about my site and if
they do there is nothing I can do about it.
As far as passwords, permissions, form fields lenght limit and all that
basic stuff, what has to be done?

Thanks again

Patrick

Chris Hope

2005-01-23, 7:20 pm

varois83 wrote:

> Ok thanks maybe I should rephrase that original post:
>
> What simple things do I have to do to prevent stupid things to
> happened to my database ? I understand that real hackers penetrating
> sites like nasa I will not worry about as they won't care about my
> site and if they do there is nothing I can do about it.
> As far as passwords, permissions, form fields lenght limit and all
> that basic stuff, what has to be done?

There's not much *you* can do about the security of the server when you
are using a webhost, but as far as the coding of the site goes here are
some ideas:

Store the passwords in the database in a hashed form instead of as plain
text, eg apply an md5 hash against the password and save that, when you
compare the user's password with what's in the database apply the same
hash to it before the comparison.

*Never* trust data submitted from a form. Validate it and ensure it is
the type of data you are expecting (eg numeric value, string value) and
escape it for special characters such as single and double quotes if
it's a string. With PHP and mysql there are www.php.net/addslashes
www.php.net/mysql_escape_string & www.php.net/mysql_real_escape_string

If you don't need to delete any database records in the website and you
have the ability to change the permissions for your mysql access, set
the login you use for the website to only have select, insert and
update permissions. That way even if something does go horribly wrong
no data can be deleted.

--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/

Charles Sweeney

2005-01-23, 11:18 pm

varois83 wrote

> Hi
>
> Ok thanks maybe I should rephrase that original post:
>
> What simple things do I have to do to prevent stupid things to
happened
> to my database ? I understand that real hackers penetrating sites like
> nasa I will not worry about as they won't care about my site and if
> they do there is nothing I can do about it.
> As far as passwords, permissions, form fields lenght limit and all
that
> basic stuff, what has to be done?

Make regular backups, at least if you do get compromised you can fall
back on these.

You should write your PHP in such a way that it is difficult for someone
to inject sql commands. Perhaps better to checkout the archive of PHP
groups for this, there has been a lot written about it, and a lot of
paranoia too.

You have things like REGISTER GLOBALS off, which can make it more
difficult to compromise a script. Dont use obvious variable names.
Instead of $password use $kl9dd73k etc etc.

--
Charles Sweeney
http://CharlesSweeney.com

Norman L. DeForest

2005-01-23, 11:18 pm

On Mon, 24 Jan 2005, Chris Hope wrote:

> varois83 wrote:
>
>
> There's not much *you* can do about the security of the server when you
> are using a webhost, but as far as the coding of the site goes here are
> some ideas:
>
> Store the passwords in the database in a hashed form instead of as plain
> text, [...]
[snip]
> *Never* trust data submitted from a form. Validate it and ensure it is
> the type of data you are expecting (eg numeric value, string value) and
> escape it for special characters such as single and double quotes if
> it's a string. With PHP and mysql there are www.php.net/addslashes
> www.php.net/mysql_escape_string & www.php.net/mysql_real_escape_string

Yes. Murphy's Law as it applies to cgi scripts:

If it CAN be abused, it WILL be abused.

If you support UTF-8, check for improperly-encoded special characters
in the UTF-8 as well. For example, if you are checking for the back-quote
character, ` (character decimal 96, hexadecimal 60, binary 01100000)
be sure to check for these invalid UTF-8 encodings of that character
as well:

Binary 11000001 10100000
Hexadecimal C1 A0
Decimal 193 160

Binary 11100000 10000001 10100000
Hexadecimal E0 81 A0
Decimal 224 129 160

Binary 11110000 10000000 10000001 10100000
Hexadecimal F0 80 81 A0
Decimal 240 128 129 160

Binary 11111000 10000000 10000000 10000001 10100000
Hexadecimal F8 80 80 81 A0
Decimal 248 128 128 129 160

Binary 11111100 10000000 10000000 10000000 10000001 10100000
Hexadecimal FC 80 80 80 81 A0
Decimal 252 128 128 128 129 160

See Section 6 of rfc 2279, "UTF-8, a transformation format of ISO 10646"
http://www.packetizer.com/rfc/rfc.cgi?num=2279

> If you don't need to delete any database records in the website and you
> have the ability to change the permissions for your mysql access, set
> the login you use for the website to only have select, insert and
> update permissions. That way even if something does go horribly wrong
> no data can be deleted.

Some vulnerabilities to avoid and techniques for avoiding them and others:

"Jason Maloney's CGI Guestbook Remote Command Execution Vulnerability."
http://lists.virus.org/bugtraq-0312/msg00003.html

"EasyBoard 2000 Remote Buffer Overflow Vulnerability"
http://lists.virus.org/bugtraq-0202/msg00157.html

"The Twenty Most Critical Internet Security Vulnerabilities"
http://cis.tamu.edu/security/isf/no.../SANSTop20.html

"Security techniques every programmer should know"
http://perlmonks.thepen.com/417490.html

--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
af380@chebucto.ns.ca [=||=] (A Speech Friendly Site)
My Usenet 2005 calendar: http://www.chebucto.ns.ca/~af380/Year-2005.txt
For explanation: http://www.chebucto.ns.ca/~af380/Links.Books.html#TandD

varois83

2005-01-24, 7:21 pm

Hi

Norman, Charles and Chris thanks for the kind help, I guess what you
provided me with should keep me busy for a while.

Regards

Patrick

Charles Sweeney

2005-01-24, 7:21 pm

varois83 wrote

> Hi
>
> Norman, Charles and Chris thanks for the kind help, I guess what you
> provided me with should keep me busy for a while.

For a while anyway! As usual in this business, there isn't one simple
answer!

--
Charles Sweeney
http://CharlesSweeney.com