/    Sign up×
Community /Pin to ProfileBookmark

PHP/MySQL security

Copy linkTweet thisAlerts:
Jan 01.2010

Hello,

I’m trying ascertain how secure PHP files and MySQL tables are. Can they be hacked? I’m not looking to store personal information beyond e-mail addresses in the tables, and the PHP files will just have some things like answers to questions in a game.

I do have a PHP/MySQL login system that requires the e-mail address and a password, but there is no access to personal information if those were stolen. Should I use https?

I guess I’m just looking for some basics on development security concerns.

to post a comment
PHP

8 Comments(s)

Copy linkTweet thisAlerts:
@like_phpJan 01.2010 — you can use md5() function for password, its very good for issues like that.

before insert/select data from database use it .

see the link http://php.net/md5

but at md5 its one way encoding so u cant show or get the original text.

so its works for passwords but not for user name/email address.

but you can use other functions like serialize() and unserialize() to store and get secured data into DB

but for email be careful its not 100% solution because the expert developers can know how get serialsed data.

so the best soltion i guess to built your own decode/encode functions and use it.
Copy linkTweet thisAlerts:
@MindzaiJan 01.2010 — Serializing data is absolutely no protection whatsoever. It doesn't even encode any data. Serializing the string "password" for example results in: s:8:"password"; - not exactly uncrackable...

A few tips for securing your database apps (but you will need to read up more, there are whole books dedicated to the subject):

Store database config information outside of DocumentRoot

Encrypt passwords using a secure algorithm like sha1

Use a unique salt for each user when encrypting their passwords etc

Use TLS/SSL

And probably the biggest one, read up on SQL injection attacks and make sure your app is covered.

One thing to realise is that you can very rarely (if ever) be 100% secure. For example, you could write the most hardcore encryption routine ever, but it doesn't help you if I can walk into your data centre, access your box and read your keys. It's all about balancing risk. If you are just storing a few email addresses, following the basic security rules which any PHP/MySQL app should follow will be fine. If you are looking to store more sensitive info, for example credit card details, then you will find you have to start getting a bit more serious in terms of security (most likely you will be legally obliged to conform to certain standards), but in this case make sure the basics are covered and you should be fine.
Copy linkTweet thisAlerts:
@like_phpJan 01.2010 — the problem not on password as told before he can use md5 but he want encode both user name and password, you cant use md5 on email because cant output original text
Copy linkTweet thisAlerts:
@MindzaiJan 01.2010 — I don't see where encoding username was mentioned as a requirement, but even assuming it is, I don't see how serializing helps anything. It is intended for storing data structures such as objects and arrays as strings, it has nothing to do with security.
Copy linkTweet thisAlerts:
@like_phpJan 01.2010 — thats true for that i said its not 100% for professioinal deveopler can easy get it back but for normal people stole the DB they cant.

and i agree with about no need to encode user name or use ur own encode/decode functions
Copy linkTweet thisAlerts:
@MindzaiJan 01.2010 — So if you came across an entry in a database that said s:8:"password" you couldn't figure out what the data means?! Serializing has nothing to do with security, it's as simple as that. If you want some kind of easy to crack obfuscation (for some reason) then base64_encode would be more appropriate, but anyone with the ability to steal your data will be able to decode it in seconds, so there's no point.
Copy linkTweet thisAlerts:
@YelgnidrocJan 02.2010 — the problem not on password as told before he can use md5 but he want encode both user name and password, you cant use md5 on email because cant output original text[/QUOTE]

Of course you can use md5 on e-mail addresses, just in the same way as passwords.

When a user enters an e-mail address md5 it and compare to the md5 version stored in the database - you dont need to retrieve from the database and convert to the original text.
Copy linkTweet thisAlerts:
@skywalker2208Jan 02.2010 — Of course you can use md5 on e-mail addresses, just in the same way as passwords.

When a user enters an e-mail address md5 it and compare to the md5 version stored in the database - you dont need to retrieve from the database and convert to the original text.[/QUOTE]

The problem with hashing the email address is you can't do any type of mailing list. I am sure you know that. I just want to make people that read the thread aware.
×

Success!

Help @juststranded spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...