database security for php
TRANSCRIPT
Database Security for PHP
Rohan Faye
Contents
Introduction
Designing databases
Connecting to database
Encrypted storage model
SQL injection
Avoiding techniques
Conclusion
Introduction
Databases: cardinal components of any web based application
Provides varying dynamic content
Stores sensitive or secreat information
PHP cannot protect your database by itself
Defense in depth
Designing databases
Create the database
Grant the privileges in order to allow other users to use it
Applications should never connect to the database as its owner or a superuser
Stop intruders from gaining access by assigning limited rights to the database objects
Designing databases
Avoid implementing all the log in the web application
Use views, triggers or rulesTransparency
Automatically handle fields
Provides insight when debugging problems
Ability to trace back transactions
Connecting to database
Establish connections over SSL to encrypt client/server communications for increased security
Use SSH to encrypt the network connection between clients and the database server
If either of these is used, for a would-be attacker, it will be:Difficult to gain information about your database
Encrypted storage model
SSL/SSHProtects data travelling from client to server
Does not protect persistent data
If attacker gains access, sensitive data can be misused
Encrypting the data is a good way to mitigate this threat
Encrypted storage model
Create your own encryption package to use it from within your PHP script
PHP assists you with several extensions like Mcrypt and Mhash
Script encrypts the data before inserting it into the database, and decrypts it while retrieving
If raw representation of data is not needed, then can rely upon hashing e.g. crypt() and MD5()
Before moving further...
Real world examples of some major incidents due to a security flaw...
Incident 1
Date: November 1, 2005
Attacker: A high school student
Victim: Taiwanese Information Security magazine's site
Incident 2
Date: March 29, 2006
Discovered by: Susam Pal (Security expert)
Victim: Official Indian government tourism site
Incident 3
Date: July 19, 2008
Attacker: m0sted and Amen (Turkish hackers)
Victim: Kaspersky's malaysian website
Incident 4
Date: January 20, 2009
Attacker: Albert Gonzalez and two unnamed Russians
Victim: Heartland Payment Systems
Incident 5
Date: October 10, 2009
Attacker: A turkish crew
Victim: Federal Bureau of Investigation job site
Incident 6
Date: December 4, 2009
Attacker: Unknown
Victim: RockYou!
And many more...
All of these incidents comprised a common technique of attack...
SQL
SQL injection
A SQL query is:Not always a trusted command
Can bypass standard authentication and authorization checks
May allow access to host operating system level commands
Direct SQL Command Injection
A technique where an attacker can create or alter existing SQL commands to expose hidden data
Can execute dangerous system level commands on the database host
Accomplished by the application taking user input and combinig it with static parameters to bulid a SQL query
Avoiding techniques
Never connect to the databse as a superuser or a database owner
Validate the input PHP has a wide range of input validating functions
Perl compatible Regular Expressions support
Quote each non-numeric user supplied value passed to the databse using database specific string escape function
Avoiding techniques
Do not print out any database specific information by fair means or foul
Take benifit from logging queries either within your script or by the database itself, if it supports loggingUnable to prevent any harmful attempt
Can be helpful to trace back which application has been circumvented
Conclusion
A good PHP application doesn't mean to be good looking. It simply wants to be safe...
Thank you
Muokkaa otsikon tekstimuotoa napsauttamalla
Muokkaa jsennyksen tekstimuotoa napsauttamallaToinen jsennystasoKolmas jsennystasoNeljs jsennystasoViides jsennystasoKuudes jsennystasoSeitsems jsennystasoKahdeksas jsennystasoYhdekss jsennystaso