Dabbling into PHP and mySQL lately. Basically I do user logins, CRUD of accounts, etc. Was wondering if theres any experienced PHP coders here that can reccommend me some PHP security best practices / frameworks.
Currently I have to manually check sessions for valid logins and constantly ref the database to see if a user is accessing something he has rights to access. Are there better ways to do this?
Just wondering... are there any free servers to host php scripts?
I don't really use much of PHP frameworks, but the ones which are well-known would be CakePHP and Symfony.
http://en.wikipedia.org/wiki/Cakephp
http://en.wikipedia.org/wiki/Symfony
And I assume you already know the basics like using the $_SESSION array variable for your logins, right? Hmm...I don't think there is any way getting around the issue you have mentioned if your project has many different areas with different users who are granted access to. But doing it with an OO-approach may make your work much simpler.
Originally posted by eagle:Just wondering... are there any free servers to host php scripts?
Err, I think there are tons of free web hosts out there that supports PHP. It just take some time to google and filter the good ones out. Or if your scripts don't use up much resources, you can contact me about it.
I just need place to host a php site for sending out emails... Cuz I'm currently trying to implement a shopping cart for future use.
Edit: Say wrongly... Perl script...
Originally posted by eagle:I just need place to host a php site for sending out emails... Cuz I'm currently trying to implement a shopping cart for future use.
Edit: Say wrongly... Perl script...
Check your PM mailbox.
What about security from SQL Injection Strings? So far I've tried some cheeky ones in my fields and it seems that PHP is smart enough to use escape characters whenever they appear.
' OR 1=1;
Its able to form it like by adding its own escape characters.
eg, Select * from tablename where value = '\' OR 1=1;';
Returns empty result set.
So by default it seems that escape characters \ are added to ANY potentially dangerous characters. Very interesting.
Anymore strings i should try?
Originally posted by Shotgun:What about security from SQL Injection Strings? So far I've tried some cheeky ones in my fields and it seems that PHP is smart enough to use escape characters whenever they appear.
' OR 1=1;
Its able to form it like by adding its own escape characters.
eg, Select * from tablename where value = '\' OR 1=1;';
Returns empty result set.So by default it seems that escape characters \ are added to ANY potentially dangerous characters. Very interesting.
Anymore strings i should try?
Erm. It's magic_quotes_gpc. It automatically escapes those potentially dangerous characters from the user input before they are available in your script.
http://sg.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc
And, please note that "This feature is DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged."
In fact, it's a pain in the ass most of the time since you will have to remove the extra slashes from the input data if it need to be processed prior to saving them into the database. If you would like to reduce the possibility of an SQL injection to the minimum, use PHP's filter functions and prepared SQL statements instead. Or simply escape them each time before you sandwich the data in a SQL statement with mysql_real_escape_string().
http://sg.php.net/manual/en/ref.filter.php
http://sg.php.net/manual/en/function.mysqli-prepare.php
http://sg.php.net/manual/en/function.mysql-real-escape-string.php
Oh man.. prepared statements again. Using prepared statements for JSP was a pain in the ass and now PHP...?
PreparedStatements added a good 50+ lines to my code, and with these other projects with almost 40 -50 fields, its gonna triple. My chief gripe with JSP prepared statements was that you had to specify the type of data to be set, (setINT, setString etc) , and that meant that I had to run a whole series of try catches just to make sure they set the right data type.
You got any links or references for prepared statements on PHP? I need to find a way to implement them such that I'll be able to set values while looping through my form fields.
Originally posted by Shotgun:Oh man.. prepared statements again. Using prepared statements for JSP was a pain in the ass and now PHP...?
PreparedStatements added a good 50+ lines to my code, and with these other projects with almost 40 -50 fields, its gonna triple. My chief gripe with JSP prepared statements was that you had to specify the type of data to be set, (setINT, setString etc) , and that meant that I had to run a whole series of try catches just to make sure they set the right data type.
You got any links or references for prepared statements on PHP? I need to find a way to implement them such that I'll be able to set values while looping through my form fields.
Oh no, prepared statements in PHP came like a gift from heaven when PHP 5 was introduced actually. To specify the data type, all you have to do is to use either 's' for strings, 'i' for 'integer' etc as described in the link below. Then concatenate them all together and pass it as a string in the first parameter of bind_param(), followed by the data variables each as a parameter on its own, like "$db->bind_param('isis', $id, $name, $credits, $description)". If a given parameter doesn't belong to the data type specified, it will be auto type-casted to it. That means I don't have to, say, intval() all those users' numerical inputs and I can simply dump it to the function to handle the dirty laundry.
Besides, there are performance advantages as well, if you are using the same prepared statement frequently and simply passing in different variables each time as compared to individual queries.
http://sg.php.net/manual/en/function.mysqli-stmt-bind-param.php