Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221

    No securtiy required for database driven website that does not contain any forms?


    Hi;

    What sort of security is required for a website that only retrieves data from the database?

    There are no search features involved. In other words users can only browse. No form submision.

    Thanks
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1018
    Hi,

    there's not just forms (I guess you mean POST requests initiated by forms). If you use the URL parameters to dynamically generate content (which you most probably do), you have the same issues like if you had POST forms. There's no difference.

    Unless your website only consists of a bunch of static HTML files, you have to deal with user input and the risks associated with that.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Dec 2004
    Posts
    3,082
    Rep Power
    381
    i would guess that if user cannot do any interacting then your site is pretty safe as the hacker doesnt have any way of getting "in" to your backend/db
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1018
    What kind of site has no user interaction? Even the home pages I wrote as a kid had a guest book.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Dec 2004
    Posts
    3,082
    Rep Power
    381
    Originally Posted by Jacques1
    What kind of site has no user interaction? Even the home pages I wrote as a kid had a guest book.
    why do you have to question EVERYTHING? if the OP has said that he has a site with no interaction, then we have to take it as face value and give him an answer accordingly.

    Maybe the site is an information site where the user gets an information, who knows..
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1018
    Originally Posted by paulh1983
    if the OP has said that he has a site with no interaction, then we have to take it as face value and give him an answer accordingly.
    Says who? I don't know about you, but I see myself as a developer trying to solve problems, not some kind of quiz participant. And solving problems involves more than just giving answers to questions (for that, you don't even need a human, just ask Google).
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. Super Moderator
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Location
    London, UK
    Posts
    4,005
    Rep Power
    2795
    zxcvbnm, if the database queries are pre-defined on the server-side then there should not be a security issue, from that perspective. However, if they are not then your database is not secure.

    If, for example, one of your browsing links is: http://www.domain.com/browse.php?query=books and the application uses that URI as the database query, as oppose to matching it against a pre-determined set of queries, then your database is wide-open to exploit.

    That said, it is still a user-defined input and should be scrubbed before referencing it.

    Comments on this post

    • Jacques1 agrees
    [PHP] | [Perl] | [Python] | [Java] != [JavaScript] | [XML] | [C] | [C++] | [LUA] | [MySQL] | [FirebirdSQL] | [PostgreSQL] | [HTML] | [XHTML] | [CSS]
  14. #8
  15. No Profile Picture
    Dazed&Confused
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2002
    Location
    Tempe, AZ
    Posts
    507
    Rep Power
    132
    Originally Posted by paulh1983
    why do you have to question EVERYTHING? if the OP has said that he has a site with no interaction, then we have to take it as face value and give him an answer accordingly.

    Maybe the site is an information site where the user gets an information, who knows..
    Believe it or not I have to side with Jaques on this one.
    The OP's description was only that:
    There are no search features involved. In other words users can only browse. No form submision.
    There could still be passive input into the scripts that in turn goes into database queries. Even if the user doesn't explicitly type things in or submit forms, even links like "index.php?page=5" could present an opportunity for injection.

    Even PHP-driven information sites will often have those.
  16. #9
  17. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,659
    Rep Power
    4128
    Is there an admin/cms that only you can access?

    If so,

    How secure is that?

    Is it susceptible to XSRF? or malware on your computer (not server)?
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  18. #10
  19. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221
    Originally Posted by Northie
    Is there an admin/cms that only you can access?
    Direct phpmyadmin
  20. #11
  21. Super Moderator
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Location
    London, UK
    Posts
    4,005
    Rep Power
    2795
    Can you give an example of the browsing links and their server-side handlers?
    [PHP] | [Perl] | [Python] | [Java] != [JavaScript] | [XML] | [C] | [C++] | [LUA] | [MySQL] | [FirebirdSQL] | [PostgreSQL] | [HTML] | [XHTML] | [CSS]
  22. #12
  23. Web Developer/Musician
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Nov 2004
    Location
    Tennessee Mountains
    Posts
    2,424
    Rep Power
    1036
    The C, U and D from CRUD aren't the only ways that a site user may interact with the db. OP I don't know the nature of the data you are working with, but if even one URL has a numerical id used in a query to bring up a db record for viewing then yes the user is interacting with the db and there is a potential (however small) for an attack through injection. Of course if all it is is numerical ids to retrieve records and perhaps record range parameters involved in paginating, then all you would have to do is force cast them

    PHP Code:
    $id = (int) $_GET['id']; 
    and the possibility of an injection attack is eliminated. If you can't go to the trouble of adding (int) to your variable assignments for piece of mind then I don't know what to tell you. Frankly i think you should always code for security with a reasonable amount of effort regardless. It's not that complicated. Use the prepared statement functions or something like Doctrine as a matter of routine and you won't even think about it.
    Coder Central Tutorials, news and information for the programming community at large.
  24. #13
  25. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221
    I am pretty sure I'm safe:

    <a href="content.php?id=5">View this note</a>
    PHP Code:
    if(!is_numeric($_GET['id']))
         {
                
    header('Location: invalid_request.php');
         }
    else
         {
              
    //Bind it too 
              
    $sql "SELECT title, description FROM ert WHERE id=:id";
              
    $argument = array('id'=>'id');
              
    $number_of_rows DB::Load()->Execute($sql,$argument)->returnNumAffectedRows();
              if(
    $number_of_rows==1)
                   {          
                        
    $data DB::Load()->Execute($sql,$argument)->returnArray();
                        

  26. #14
  27. Web Developer/Musician
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Nov 2004
    Location
    Tennessee Mountains
    Posts
    2,424
    Rep Power
    1036
    Originally Posted by zxcvbnm
    I am pretty sure I'm safe:



    PHP Code:
    if(!is_numeric($_GET['id']))
         {
                
    header('Location: invalid_request.php');
         }
    else
         {
              
    //Bind it too 
              
    $sql "SELECT title, description FROM ert WHERE id=:id";
              
    $argument = array('id'=>'id');
              
    $number_of_rows DB::Load()->Execute($sql,$argument)->returnNumAffectedRows();nh
              
    if($number_of_rows==1)
                   {          
                        
    $data DB::Load()->Execute($sql,$argument)->returnArray();
                        

    Well then I'm not sure why you asked the question if you were aleady using prepared statements.
  28. #15
  29. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221
    Originally Posted by Hammer65
    Well then I'm not sure why you asked the question if you were aleady using prepared statements.
    Hi Hammer;

    I was looking for an answer like:

    Required:
    ---------------
    SQL injection

    Nor Required:
    ---------------
    XSS,
    .
    .
    .

    Thank you
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo