/    Sign up×
Community /Pin to ProfileBookmark

Question-extracting data from MySQL..Advice

Copy linkTweet thisAlerts:
Feb 13.2009

Hello, I was wondering if anyone can advice me about the flowchart attached.
I’ve been reading many books and forums and was trying to get an understanding of how data is extracted from MySQL database
Am I on the right track based off the flowchart?
and do images and graphics work the same as text data when extracted from MySQL?
I have read that php can leave a database vulnerable to attacks … what are some examples of this? and how do you prevent this from happening?
I really appreciate any help Thanks so much

to post a comment
PHP

7 Comments(s)

Copy linkTweet thisAlerts:
@SnartmanFeb 13.2009 — Your flow seems fairly accurate. Remar, though:

  • 1. The Web Page part is also on the server. When the browser requests a page, the server will parse all PHP code in it and feed back the corresponding HTML or XHTML.


  • 2. The communication with the DB is technically not via PHP but via SQL. PHP provides some interface functions to handle that, though.


  • 3. You still need to run a query to extract the info from the DB.


    • As for the security issues, you might want to google for mysql injection. Injection is when a user enters malicious code in a form to change the behavior of your queries. For example, suppose I have a form where you can fill in a username and password, which are then used to retrieve the user's data:

    [CODE]
     $query = "SELECT * FROM users WHERE user = '".$_POST['user']."' and pass = '".$_POST['pass']."';";
    [/CODE]

    I'm foregoing sha1 encryption and such for simplicity's sake. This works fine if the user enters a normal name (Jack) and password (hello):

    [CODE]
     $query = "SELECT * FROM users WHERE user = 'Jack' and pass = 'hello';";
    [/CODE]

    This can be used in a wrong way too, however. Suppose I don't fill in 'hello' but I fill in the following code in the "pass" form field:

    ' OR 1 = 1

    The resulting query would be:

    [CODE]
     $query = "SELECT * FROM users WHERE user = 'Jack' AND pass = '' or 1 = 1;";
    [/CODE]

    You can see where this leads to...

    Try for mysqli if your server supports it and work with prepared statements.
    Copy linkTweet thisAlerts:
    @cgigauthorFeb 14.2009 — Thanks Snarmanb for the relply

    I will definitely look into mysql injection and msqli support

    I am a little lost ...I have and idea what you getting at ...but not understanding what would a malicious person accomplish from this?
    [CODE]$query = "SELECT * FROM users WHERE user = 'Jack' AND pass = '' or 1 = 1;";[/CODE]

    after reading your comments I revised the flowchart I revised in

    So does this flowchart represent the most effective way MySQL database driven websites flow?

    and are web page graphics, like buttons (sliced images) or even a flash swf file, also queried and extracted from msql database ...like the flow chart
    Copy linkTweet thisAlerts:
    @cgigauthorFeb 16.2009 — any takers on the above post

    thanks
    Copy linkTweet thisAlerts:
    @criterion9Feb 16.2009 — The flow chart is more accurate yes.

    The SQL injection above would allow anyone to be "logged in" according to the response from the MySQL server. If additional checks were not used this would allow any user to "impersonate" another user. They could change data or view content not meant for them. Depending on the nature of the data this could be fairly harmless or detrimental to a website.
    Copy linkTweet thisAlerts:
    @cgigauthorFeb 17.2009 — Thanks criterion9,

    based on the flowchart is the below feasible?
    are web page graphics, like buttons (sliced images) or even a flash swf file, also queried and extracted from msql database ...like the flowchart[/QUOTE]
    Thanks for all your help
    Copy linkTweet thisAlerts:
    @criterion9Feb 17.2009 — You can theoretically store anything in the database. Whether it is text or binary codes such as images or compiled applications.
    Copy linkTweet thisAlerts:
    @cgigauthorFeb 17.2009 — Thanks Criterion,

    I was wondering because... I always heard of text information being stored in database

    Thanks again for everyones help
    ×

    Success!

    Help @cgig spread the word by sharing this article on Twitter...

    Tweet This
    Sign in
    Forgot password?
    Sign in with TwitchSign in with GithubCreate Account
    about: ({
    version: 0.1.9 BETA 6.1,
    whats_new: community page,
    up_next: more Davinci•003 tasks,
    coming_soon: events calendar,
    social: @webDeveloperHQ
    });

    legal: ({
    terms: of use,
    privacy: policy
    });
    changelog: (
    version: 0.1.9,
    notes: added community page

    version: 0.1.8,
    notes: added Davinci•003

    version: 0.1.7,
    notes: upvote answers to bounties

    version: 0.1.6,
    notes: article editor refresh
    )...
    recent_tips: (
    tipper: @meenaratha,
    tipped: article
    amount: 1000 SATS,

    tipper: @meenaratha,
    tipped: article
    amount: 1000 SATS,

    tipper: @AriseFacilitySolutions09,
    tipped: article
    amount: 1000 SATS,
    )...