f



Database Security Issues

I'm helping someone to create an online database.  All is fine and good 
except for one problem.  Here it is:

In order to provide connectivity to the database, I've created a file called 
database.php which is readable only by the Apache web server.

It contained the following:

<?php

function database() {
        $db = mysql_connect("localhost", "mtlstats", /* the password */);
        mysql_select_db("mtlstats", $db);
        return $db;
}

?>

I quickly realized that even though nobody could read the password from the 
file, there was nothing preventing the other people with accounts on my web 
server, from including this file into one of their own php scripts, and 
hijacking the database.  I therefore made a change, so that it would only 
work when called from a file in the /mtlstats directory.

The file now reads as follows:

<?php

function database() {
        if(strpos($PHP_SELF, "/mtlstats/") === 0) {
                $db = mysql_connect("localhost", "mtlstats", /* the password */);
                mysql_select_db("mtlstats", $db);
                return $db;
        }
        return NULL;
}

?>

Unfortunately, I've discovered that although $PHP_SELF normally returns the 
name of the file being processed by the server, when called from within a 
function, it returns NULL for some reason.  Can anyone suggest an 
alternative means of correcting this problem?

Any assistance would be greatly appreciated.

-- 
Jonathan Lamothe
Founder of the Anime Void.
http://ani-void.cjb.net
0
11/24/2003 8:03:54 PM
comp.lang.php 32646 articles. 0 followers. Post Follow

14 Replies
554 Views

Similar Articles

[PageSpeed] 58

Jonathan Lamothe <jonathan_lamothe@hotmail.com> wrote:
> <?php
> function database() {
>        if(strpos($PHP_SELF, "/mtlstats/") === 0) {
[snip]
> }
> 
> ?>
> 
> Unfortunately, I've discovered that although $PHP_SELF normally returns the 
> name of the file being processed by the server, when called from within a 
> function, it returns NULL for some reason.  Can anyone suggest an 
> alternative means of correcting this problem?

RTFM, you need to brush up on your variable skills:

from
http://nl2.php.net/manual/en/language.variables.scope.php
to
http://nl2.php.net/manual/en/language.variables.predefined.php#language.variables.superglobals
to
http://nl2.php.net/manual/en/security.registerglobals.php
and
http://nl2.php.net/manual/en/reserved.variables.php#reserved.variables.server

But the really shortshort version: use superglobals instead....

eg:
'PHP_SELF'

The filename of the currently executing script, relative to the document
root. For instance, $_SERVER['PHP_SELF'] in a script at the address
http://example.com/ test.php/foo.bar would be /test.php/foo.bar.

-- 

  Daniel Tryba

0
11/24/2003 10:54:32 PM
Daniel Tryba wrote:

> Jonathan Lamothe <jonathan_lamothe@hotmail.com> wrote:
>> <?php
>> function database() {
>>        if(strpos($PHP_SELF, "/mtlstats/") === 0) {
> [snip]
>> }

<moresnip>

> But the really shortshort version: use superglobals instead....
> 
> eg:
> 'PHP_SELF'
> 
> The filename of the currently executing script, relative to the document
> root. For instance, $_SERVER['PHP_SELF'] in a script at the address
> http://example.com/ test.php/foo.bar would be /test.php/foo.bar.
> 

It's often better to look at the value of $_SERVER['REQUEST_URI'], especially
if you're doing things with mod_rewrite that involve non-existent folder names
....
0
nntp8 (115)
11/24/2003 11:04:05 PM
Jonathan Lamothe wrote:

> I'm helping someone to create an online database.  All is fine and good 
> except for one problem.  Here it is:
> 
> In order to provide connectivity to the database, I've created a file called 
> database.php which is readable only by the Apache web server.
> 
> It contained the following:
> 
> <?php
> 
> function database() {
>         $db = mysql_connect("localhost", "mtlstats", /* the password */);
>         mysql_select_db("mtlstats", $db);
>         return $db;
> }
> 
> ?>
> 
> I quickly realized that even though nobody could read the password from the 
> file, there was nothing preventing the other people with accounts on my web 
> server, from including this file into one of their own php scripts, and 
> hijacking the database.  I therefore made a change, so that it would only 
> work when called from a file in the /mtlstats directory.
> 
> The file now reads as follows:
> 
> <?php
> 
> function database() {
>         if(strpos($PHP_SELF, "/mtlstats/") === 0) {
>                 $db = mysql_connect("localhost", "mtlstats", /* the password */);
>                 mysql_select_db("mtlstats", $db);
>                 return $db;
>         }
>         return NULL;
> }
> 
> ?>
> 
> Unfortunately, I've discovered that although $PHP_SELF normally returns the 
> name of the file being processed by the server, when called from within a 
> function, it returns NULL for some reason.  Can anyone suggest an 
> alternative means of correcting this problem?
> 
> Any assistance would be greatly appreciated.
> 

As long as others have access to the permissions of the account that the 
web server is running as, then they will have access to any of your PHP 
scripts (source code) and any files that your PHP scripts have 
permission to read.

The trick is to not have users without your trust getting access to your 
webserver's user. It's a system configuration issue.


0
tk.lists (135)
11/25/2003 12:33:07 AM
Terence <tk.lists@fastmail.fm> writes:

> As long as others have access to the permissions of the account that the 
> web server is running as, then they will have access to any of your PHP 
> scripts (source code) and any files that your PHP scripts have 
> permission to read.
>
> The trick is to not have users without your trust getting access to your 
> webserver's user. It's a system configuration issue.

One way to protect database passwords is to remove them from the
code and have the web server set them in an environment variable
that the code could read.  The web server would set a different
password depending on the user, directory, or whatever condition
you can think of; with Apache, for example, you could do this with
SetEnv, SetEnvIf, or mod_rewrite.  Although the web server typically
runs as a non-privileged user such as "www" or "httpd", it usually
starts as root so it can bind to port 80.  The passwords could be
stored in a file that only root can read, so PHP, CGI, or other
code running as the non-privileged web server user couldn't read
the passwords from the file.

Using the above mechanism, the only way a user could read other
users' passwords would be by reading the process memory, perhaps
using /proc/pid/mem on systems that have such a thing, or possibly
by getting the web server to dump core and then reading the core
file.  The sysadmin should be able to prevent these possibilities
from happening.

-- 
Michael Fuhr
http://www.fuhr.org/~mfuhr/
0
mfuhr (163)
11/25/2003 5:31:38 AM
Michael Fuhr <mfuhr@fuhr.org> wrote:
> One way to protect database passwords is to remove them from the
> code and have the web server set them in an environment variable
> that the code could read.  The web server would set a different
> password depending on the user, directory, or whatever condition
> you can think of; with Apache, for example, you could do this with
> SetEnv, SetEnvIf, or mod_rewrite.  Although the web server typically
> runs as a non-privileged user such as "www" or "httpd", it usually
> starts as root so it can bind to port 80.  The passwords could be
> stored in a file that only root can read, so PHP, CGI, or other
> code running as the non-privileged web server user couldn't read
> the passwords from the file.

Needlesly complicated. Run the webserver with the priveliges of a
user. That way the passwds can be in a file only readable to the user

-- 

  Daniel Tryba

0
11/25/2003 6:34:48 AM
Daniel Tryba <news_comp.lang.php@canopus.nl> writes:

> Michael Fuhr <mfuhr@fuhr.org> wrote:
> > One way to protect database passwords is to remove them from the
> > code and have the web server set them in an environment variable
> > that the code could read.  The web server would set a different
> > password depending on the user, directory, or whatever condition
> > you can think of; with Apache, for example, you could do this with
> > SetEnv, SetEnvIf, or mod_rewrite.  Although the web server typically
> > runs as a non-privileged user such as "www" or "httpd", it usually
> > starts as root so it can bind to port 80.  The passwords could be
> > stored in a file that only root can read, so PHP, CGI, or other
> > code running as the non-privileged web server user couldn't read
> > the passwords from the file.
>
> Needlesly complicated. Run the webserver with the priveliges of a
> user. That way the passwds can be in a file only readable to the user

Could you elaborate on how you'd do this on an ISP's web server
that has thousands of users?  Apache 2's perchild MPM looks promising
for virtual hosts -- if you want to have a virtual host for each
user -- but according to the documentation it doesn't work yet on
most platforms, and I wonder how it would scale.  It also doesn't
appear usable in a non-virtual-host setup, such as the ISP might
have for its SSL configuration.

-- 
Michael Fuhr
http://www.fuhr.org/~mfuhr/
0
mfuhr (163)
11/25/2003 8:42:20 AM
Michael Fuhr <mfuhr@fuhr.org> wrote:
>> Needlesly complicated. Run the webserver with the priveliges of a
>> user. That way the passwds can be in a file only readable to the user
> 
> Could you elaborate on how you'd do this on an ISP's web server
> that has thousands of users?

With apache it seem that suexec is the way to go (and thus introducing
new problems like running php as cgi, but the enhanced per user security
might be worth it).

> Apache 2's perchild MPM looks promising for virtual hosts -- if you
> want to have a virtual host for each user -- but according to the
> documentation it doesn't work yet on most platforms, and I wonder how
> it would scale.  It also doesn't appear usable in a non-virtual-host
> setup, such as the ISP might have for its SSL configuration.

On the system I run Apache/PHP I'm the sole user, on the only multiuser
system I have access to the server isn't Apache, it lacks "native" php
support so php is run as the user in cgi :)

-- 

  Daniel Tryba

0
11/26/2003 12:45:54 AM
Daniel Tryba <news_comp.lang.php@canopus.nl> writes:

> Michael Fuhr <mfuhr@fuhr.org> wrote:
> >> Needlesly complicated. Run the webserver with the priveliges of a
> >> user. That way the passwds can be in a file only readable to the user
> > 
> > Could you elaborate on how you'd do this on an ISP's web server
> > that has thousands of users?
>
> With apache it seem that suexec is the way to go (and thus introducing
> new problems like running php as cgi, but the enhanced per user security
> might be worth it).

As you point out, using suEXEC introduces problems of its own.  One
of PHP's advantages is that it can be parsed directly by the server
without having to go through the fork/exec overhead of creating a
new process; using suEXEC or any other setuid/setgid mechanism that
requires a new process would negate that advantage.  On a busy
server that could cause serious performance problems.

Run some benchmarks and compare the times for server-parsed PHP vs.
PHP run as CGI.  Running as CGI is horrible.

> > Apache 2's perchild MPM looks promising for virtual hosts -- if you
> > want to have a virtual host for each user -- but according to the
> > documentation it doesn't work yet on most platforms, and I wonder how
> > it would scale.  It also doesn't appear usable in a non-virtual-host
> > setup, such as the ISP might have for its SSL configuration.
>
> On the system I run Apache/PHP I'm the sole user, on the only multiuser
> system I have access to the server isn't Apache, it lacks "native" php
> support so php is run as the user in cgi :)

This thread was about protecting passwords on a multiuser system,
a problem that ISPs and their customers face.  Using suEXEC or other
setuid/setgid mechanisms can solve the security problem for the
user, but for the ISP they can cause unacceptable performance
degradation.  The mechanism I posted is a way to protect passwords
without introducing the performance overhead of creating a new
process every time a page is served.

-- 
Michael Fuhr
http://www.fuhr.org/~mfuhr/
0
mfuhr (163)
11/26/2003 4:52:06 AM
Michael Fuhr wrote:

> 
> This thread was about protecting passwords on a multiuser system,
> a problem that ISPs and their customers face.  Using suEXEC or other
> setuid/setgid mechanisms can solve the security problem for the
> user, but for the ISP they can cause unacceptable performance
> degradation.  The mechanism I posted is a way to protect passwords
> without introducing the performance overhead of creating a new
> process every time a page is served.
> 

One way to do it, is to have a group for users with webpages, and make
the relevant directories chmod 0705 - then the user can access the directory,
apache can access it as nobody, and memebrs of the same group have no
access to the directory.

Just a thought...

Matt
0
nntp8 (115)
11/28/2003 1:02:18 AM
Matty <matt+nntp@askmenoquestions.co.uk> writes:

> Michael Fuhr wrote:

> > This thread was about protecting passwords on a multiuser system,
> > a problem that ISPs and their customers face.  Using suEXEC or other
> > setuid/setgid mechanisms can solve the security problem for the
> > user, but for the ISP they can cause unacceptable performance
> > degradation.  The mechanism I posted is a way to protect passwords
> > without introducing the performance overhead of creating a new
> > process every time a page is served.
> > 
> One way to do it, is to have a group for users with webpages, and make
> the relevant directories chmod 0705 - then the user can access the directory,
> apache can access it as nobody, and memebrs of the same group have no
> access to the directory.

If the web server can read a file then anybody who uses that web
server can potentially read that file.  PHP features like safe_mode
and open_basedir can help prevent this, as can CGI mechanisms such
as suEXEC, but on some multiuser systems implementing such measures
isn't a viable option, and the web server may provide other services
that wouldn't be restricted these measures.

-- 
Michael Fuhr
http://www.fuhr.org/~mfuhr/
0
mfuhr (163)
11/28/2003 7:54:40 AM
As others have noted, there's really no easy way you can protect the
file in question without making some serious changes to the Apache
setup.

The only solution I have think of is to encrypt the database password
using the login password as the key, and storing it in a associative
array on the server.

$passwords = {
    "cleong" => "AB534BE432BEE433C...E433C340F",
    "ojsimpson" => "7488494782...324239424",
    "jausten" => "8492374837923...384274389"
    ...
}

When the user logs in, the password provided is use to decrypt the
cooresponding entry in the array, yielding the database password. The
password is then stored in a cookie on the client-side (can't use a
session variable, as session files are accessible through Apache).

Jonathan Lamothe <jonathan_lamothe@hotmail.com> wrote in message news:<PBtwb.4434$dt2.460498@news20.bellglobal.com>...
> I'm helping someone to create an online database.  All is fine and good 
> except for one problem.  Here it is:
> 
> In order to provide connectivity to the database, I've created a file called 
> database.php which is readable only by the Apache web server.
> 
> It contained the following:
> 
> <?php
> 
> function database() {
>         $db = mysql_connect("localhost", "mtlstats", /* the password */);
>         mysql_select_db("mtlstats", $db);
>         return $db;
> }
> 
> ?>
> 
> I quickly realized that even though nobody could read the password from the 
> file, there was nothing preventing the other people with accounts on my web 
> server, from including this file into one of their own php scripts, and 
> hijacking the database.  I therefore made a change, so that it would only 
> work when called from a file in the /mtlstats directory.
> 
> The file now reads as follows:
> 
> <?php
> 
> function database() {
>         if(strpos($PHP_SELF, "/mtlstats/") === 0) {
>                 $db = mysql_connect("localhost", "mtlstats", /* the password */);
>                 mysql_select_db("mtlstats", $db);
>                 return $db;
>         }
>         return NULL;
> }
> 
> ?>
> 
> Unfortunately, I've discovered that although $PHP_SELF normally returns the 
> name of the file being processed by the server, when called from within a 
> function, it returns NULL for some reason.  Can anyone suggest an 
> alternative means of correcting this problem?
> 
> Any assistance would be greatly appreciated.
0
chernyshevsky (2297)
11/28/2003 8:10:51 AM
chernyshevsky@hotmail.com (Chung Leong) writes:

> As others have noted, there's really no easy way you can protect the
> file in question without making some serious changes to the Apache
> setup.
>
> The only solution I have think of is to encrypt the database password
> using the login password as the key, and storing it in a associative
> array on the server.

What login password are you using as the key?

> $passwords = {
>     "cleong" => "AB534BE432BEE433C...E433C340F",
>     "ojsimpson" => "7488494782...324239424",
>     "jausten" => "8492374837923...384274389"
>     ...
> }
>
> When the user logs in, the password provided is use to decrypt the
> cooresponding entry in the array, yielding the database password. The
> password is then stored in a cookie on the client-side (can't use a
> session variable, as session files are accessible through Apache).

When what user logs in?  This solution seems to assume that a single
user will be using the database and that the user will be logging
in using a password.  How would this solution work for an application
that needs to access a database for any number of users who won't
be logging in?

-- 
Michael Fuhr
http://www.fuhr.org/~mfuhr/
0
mfuhr (163)
11/29/2003 6:39:44 AM
Michael Fuhr wrote:


>> One way to do it, is to have a group for users with webpages, and make
>> the relevant directories chmod 0705 - then the user can access the
>> directory, apache can access it as nobody, and memebrs of the same group
>> have no access to the directory.
> 
> If the web server can read a file then anybody who uses that web
> server can potentially read that file.  PHP features like safe_mode
> and open_basedir can help prevent this, as can CGI mechanisms such
> as suEXEC, but on some multiuser systems implementing such measures
> isn't a viable option, and the web server may provide other services
> that wouldn't be restricted these measures.
> 

Well, really the only way to make it secure, if it needs to be, is to put
the site on its own server.  If suExec is an option, that's another way to
do it.

Basically, if you have ${n}x100 users on a server, it's kinda hard to make
individual sites that secure, although open_basedir can help in php

If you need the security, you pay for it!

Matt
0
nntp8 (115)
11/29/2003 11:52:45 PM
Yes, it's a limited solution. The assumption is that you have a small
group of trusted users accessing the database. I was trying to come up
with something that doesn't require changes to the server config,
since I doubt that an ISP would be willing to make them for you. Most
likely they'll just tell you to use their single-server or virtual
machine package.

mfuhr@fuhr.org (Michael Fuhr) wrote in message news:<3fc83f30$1_1@omega.dimensional.com>...
> chernyshevsky@hotmail.com (Chung Leong) writes:
> 
> > As others have noted, there's really no easy way you can protect the
> > file in question without making some serious changes to the Apache
> > setup.
> >
> > The only solution I have think of is to encrypt the database password
> > using the login password as the key, and storing it in a associative
> > array on the server.
> 
> What login password are you using as the key?
> 
> > $passwords = {
> >     "cleong" => "AB534BE432BEE433C...E433C340F",
> >     "ojsimpson" => "7488494782...324239424",
> >     "jausten" => "8492374837923...384274389"
> >     ...
> > }
> >
> > When the user logs in, the password provided is use to decrypt the
> > cooresponding entry in the array, yielding the database password. The
> > password is then stored in a cookie on the client-side (can't use a
> > session variable, as session files are accessible through Apache).
> 
> When what user logs in?  This solution seems to assume that a single
> user will be using the database and that the user will be logging
> in using a password.  How would this solution work for an application
> that needs to access a database for any number of users who won't
> be logging in?
0
chernyshevsky (2297)
12/1/2003 12:26:33 AM
Reply:

Similar Artilces:

Security Issue
I have a created a secured database by following the security faq on the Microsoft website. I am opening my secured database logged in as one of the users that I created using a new mdw that does not contain the Admin user in the Admins group. Now I am closing this secured database but not quitting ACCESS. At this point, I am using the File menu to open another secured database (that uses a different mdw) and gain "full" control over its object!!! I am using ACCESS 2000. Is this normal behaviour? If this is not the desired behaviour how can I prevent it from happening? Is the only option I have is forcing the user to quit the application rather than close it? Could someone please explain. Thanks. "budugu" <meduriv@aol.com> wrote: > Is this normal behaviour? If this is not the desired behaviour how can > I prevent it from happening? Is the only option I have is forcing the > user to quit the application rather than close it? Could someone > please explain. No, it is not normal behaviour. Access security is a very complex concept when you're new to it and I suspect that one or both of these apps has not been properly secured. It's good that you've downloaded the MS KB article, that's a 'must have' but can be a bit 'heavy'. Have a look at my beginner's guide on my web site, it might help you track down the problem a little further. HTH - Keith. www.keithwilby.org.uk ...

Database security
I have been reading a little that you should secure your PHP code to prevent SQL injection into a database (MySQL in my instance), mainly by checking the type of data to be put into a database, and if text, to addslashes() the data. What I have not managed to find out, is does SQL injection threaten the input of data into a database, ie a guestbook, or the reading of a database where the user would not know if the data is being read from a database? Is there anything else to consider to make a database more secure? In particular, I have read here a few months back that it's a good idea to keep the username / password of the connection outside the root of the website. How would I access the password file then? What I mean is, if I want a certain file in my site I could access it by writing: www.mysite.com/password.php But as it would now be outsite the root, how would I be able to get to the password.php file? I have also read a bit that you can assign privelages (similar I guess to rwe for a directory / file) but to the database access, but can't find anything about it. Is there a good (beginners) guide to privelages? Any just incase, I did RTFM, but there are many versions which make it confusing on who is right. Thanks Dariusz In article <416e9326$0$48025$ed2e19e4@ptn-nntp-reader04.plus.net>, ng@lycaus.plusYOURSHIT.com (Dariusz) wrote: > I have been reading a little that you should secure your PHP code to > prevent SQL injecti...

PHP/MySQL security issues
Hi all, I have various security questions concerning PHP/MySQL-based web sites. 1) SQL Injections: Most of us use PHP to create and subsequently execute SQL commands out of the input of web forms. mysql_real_escape_string() PHP function is not enough, right? Provided that the MySQL data should not contain any "special" character, how can a custom escaping-based sql injection php filter handle special characters correctly? 2) When PHP connects to a MySQL database, it requires mysql_connect() where its unencrypted MySQL password is viewable. Is there any way that the password it written in an encrypted form? 3) If someone choses to use an internet server to host his Apache web server and php scripts and an intranet server to hold his MySQL database, is there any way to be able to update the MySQL database using the web forms without granting INSERT/UPDATE privileges to the internet server? 4) If data are stored in an encrypted form in MySQL, how can the deciphering key be hidden? 5) If data are stored in an encrypted form in MySQL, how can they be searched (especially numerical values)? I suppose that the answers of some of those questions might be combined to each other. Best Regards. A. ..oO(Asteras) >I have various security questions concerning PHP/MySQL-based web >sites. > >1) SQL Injections: Most of us use PHP to create and subsequently >execute SQL commands out of the input of web forms. >mysql_real_escape_string() PHP function is not...

some of the issues of NOT storing images in a secure database..
Performance you may get, security comes extra.. http://www.smh.com.au/technology/security/security-experts-go-to-war-wife-targeted-20110517-1eqsm.html On 17/05/11 14:45, The Natural Philosopher wrote: > Performance you may get, security comes extra.. > > http://www.smh.com.au/technology/security/security-experts-go-to-war-wife-targeted-20110517-1eqsm.html > Sorry. Somehow my brains hurt when I read "security expert" and "facebook" in one sentence. But for what it's worth, I did read the article. Do you mean he could not have guessed the right URL if the pictures were stored in a different fashion? Kind regards, -- Willem Bogaerts Application smith Kratz B.V. http://www.kratz.nl/ On 5/17/2011 8:45 AM, The Natural Philosopher wrote: > Performance you may get, security comes extra.. > > http://www.smh.com.au/technology/security/security-experts-go-to-war-wife-targeted-20110517-1eqsm.html > Which has absolutely nothing to do with storing pictures in a database - as anyone with an ounce of sense would know. -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ================== Willem Bogaerts wrote: > On 17/05/11 14:45, The Natural Philosopher wrote: >> Performance you may get, security comes extra.. >> >> http://www.smh.com.au/technology/security/security-experts-go-to-war-wife-targeted-20110517-1eqsm.html >> &g...

Privileges, Security & Database Design Issues
Hi There, I'm creating a MS ACCESS database using Ms Access 2000 to store Interpretation requests by different departments in a hospital and Interpreter availability. All internal departments will be calling in or faxing their Interpretation requests to Intake staff at the Interpretation department and the intake staff will feed the request into the database. However, their is one department, Rehab, that is going to be going to be able to put in Interpretation requests thru an access form and they want the capacity to view the appointments (Interpretation Requests) they have requested. I have the following tables in my database: 1.. Interpreters 2.. Interpreter Type 3.. InterpreterAvailability Schedule 4.. Internal Departments 5.. Rehab Solutions 6.. Intake Staff 7.. Rehab Staff 8.. Interpreter requestsbyInternalDepts 9.. Interpreter requestsbyRehabSolutions 10.. AppointmentBookingStatus 11.. Appointments 12.. AppointmentType 13.. Invoice 14.. Language I read on 'How I use Microsoft Access User-Level Security' from www.geocities.com/jacksonmacd dated march 2, 2004 that "Permissions are applied at the table level. You can't configure Jet to allow some users to read or write to the whole table while restricting other users to select rows or columns." I am wondering what is the best way to design the tables for Interpretation Request. Is it possible to keep one table for (ie. InterpreterRequests vs . the tables:...

PHP 4 security File Access Issue on AIX
Hi. We are facing a problem with an old PHP application. The application browse the local server directory in order to show to the client browser file info and data. When we remove all the grants from "others", from any of the directoryes or the tree involved, or the files themself, the progam pop up with the error: ------ Warning: opendir(/appl/apt000/pt0/include/p/): failed to open dir: Permission denied in /appl/estion/AE/web/html/sources/filed/ gestioneOggetti.php on line 337 ------ The PHP script line involved is $hd=opendir($dir); with $dir="/appl/apt000/pt0/include/p/" This is the directory list where no "others" permissions are granted: [aspt000@svuni330:/appl/apt000/pt0/include]#> ls -al p drwxrwx--- 2 aspt000 aspt000 4096 Apr 19 12:52 p If the directory gets backs the grants for "others" [aspt000@svuni330:/appl/apt000/pt0/include]#> ls -al p drwxrwxrwx 2 aspt000 aspt000 4096 Apr 19 12:52 p evrything goes fine. The user runnig the web server is in the same group (aspt000) (but is not the owner) of any of the dirs/files involved. If we run a simple PHP script We are using - AIX 3.5 - PHP Version 4.3.8 - PHP API 20020918 - PHP Extension 20020429 - Zend Extension 20021010 - Thread Safety disabled - Apache/1.3.33 (Unix) mod_ssl/2.8.24 OpenSSL/0.9.8d PHP/4.3.8 - Apache Release 10333100 - Apache API Version 19990320 We want to tighten the security on the machine so we have to remove the ...

Top Ten PHP Security Issues, a preliminary list
There's my draft list of the top ten PHP security issues. As you can see, there's only nine right now. I've ranked them based on how readily the vulnerability can be exploited. This is the reason why the client-side scripting vulnerabilities are listed 2, 3, and 4, while SQL injection is listed 7. Listed as number 1 is the arguably the lamest mistake in all web-programming: pulling information from the database based on a primary-key passed through the URL without any kind of access check. Because even someone with no programming knowledge can take advantage of this hole, it takes the top spot. [drum roll] 1. Revealing private information without access check 2. Displaying user-provided text without escaping HTML special characters 3. Allowing users to supply a URL for an image 4. Processing form data without checking the page referrer 5. Copying an uploaded file into a web-accessible directory 6. Using a GET/POST variable as parameter to include/require 7. Inserting GET/POST variables into SQL statements without validation 8. Using session_register() with sensitive variables 9. Performing restricted operations in the global scope of an include file The use of register_globals is not on the list, as the potential problems are effectively covered by item 6, 7, 8, and 9 (or so I think). I'll write up a more detailed description for each of these, along with possible solutions, and post it somewhere on the net. Hopefully it...

Nice software for windows audit and Oracle database security issues 260497
I have just got a link for a new software from my friend and find it good. If you wanna be secure and want to conduct security assessment on your Windows, Oracle, MSSQL and Cisco routers then just follow the link. http://www.download.com/Secure-Auditor/3000-2653-10826743.html?part=dl-SecureAud&subj=uo&tag=button Secure Auditor provides single console for audit, compliance, penetration test and forensics of Windows, Oracle, MSSQL and Cisco Routers. Additionally it provides 30embedded tools at the price of single auditing software. Just check it out and give your comment. ...

Key-passing from PHP to TCL CGI script
On one of my sites, I have a TCL CGI script that has a security hole in spite of it having effective server-side validation (the fact that it's CGI IS its security hole). The front end is a PHP script, and I am writing server-side validation onto it, however, it is required to redirect to the TCL CGI script because only a CGI script has the ability to access a group-accessible XML script on the back end. I had to take the whole thing down because a hacker found a way to exploit the TCL CGI script and send in viral DoS-generating data packets via simple form text field submissions, somehow even bypassing the TCL CGI script's server-side validation. Hence, that is why I am writing server-side validation on the front-end PHP script, which is not CGI, of course. The only way I could figure out how to make this secure was the concept of "key passing", that is, passing a key from the PHP script into a $_SESSION variable, then the TCL CGI script must have the same key on its end, somehow, in order to expedite further. Bottom line: I have no clue how to do this. Is there anyone out there that knows this stuff and can either give me a quick tutorial or point me in the right direction? I have absolutely no idea where to begin, nor do I know any other means of ensuring web security. *NOTE* I cannot destroy the TCL CGI script, because only a CGI script can access the group-accessible XML on the back end, so that's not an option by any means. Thanx Phil ...

Database Database Database Database Software Cheap
Database Database Database Database Great Datase Software See Website Below. Ultra Easy to Learn (Typically 30 Seconds) Professional Programmable Database Ver. 2.3 2.1 Million Record Capacity, (New cond). Search Rate: 2000 / Records / Second. DataBase Type: Random Access. Can Create Unlimited Databases. Programmable fields for any Application. Has Six Seperate Field Sets All Programmable. Build Time One Second, (Auto Creates DB). Setup Time: Instantly, Just Enter DB Name. Ultra Cheap Price, Special $20, Paypal Accepted. Application Mailed Instantly (file Attached Email). http://www.vehiclerepair.org/dbPro/dbpro.html ...

Database Database Database Database Software Cheap
Database Database Database Database Software Cheap Great Datase Software See Website Below. Ultra Easy to Learn (Typically 30 Seconds) Professional Programmable Database Ver. 2.3 2.1 Million Record Capacity, (New cond). Search Rate: 2000 / Records / Second. DataBase Type: Random Access. Can Create Unlimited Databases. Programmable fields for any Application. Has Six Seperate Field Sets All Programmable. Build Time One Second, (Auto Creates DB). Setup Time: Instantly, Just Enter DB Name. Ultra Cheap Price, Special $20, Paypal Accepted. Application Mailed Instantly (file Attached Email). http://www.vehiclerepair.org/dbPro/dbpro.html ...

Excel database query does not work after securing an Access database
Hi all, I'd appreciate if someone could give me a hint to this little annoying problem: I have a simple database that I want to be able to query from Excel. When I use the "new database query" wizard on an unsecured version of my database, everything works fine. I am able to read the tables and queries, I can build customized queries in Excel from the Access tables/queries. Now, the moment I secure my database I loose all connectiviity between Excel and Access. The wizard won't even connect to the database. When I add permission to "open/read database" object through "Users and Groups Permission" in Access, I am able to connect to the database and see all the tables/queries, but it does not show the fields. I thought that in theory if I add permissions to "read design" and "read data" to my tables and queries for the regular users that should solve the problem, but it doesn't. I am obviously missing something somewhere, but what? I searched the web but could not find anyting. I am using Windows XP Pro SP2 and Access 2003 and Excel 2003. Any advice???? Michael I'm actually just facing this problem as well myself, and have no answer. I have a secure database that's split front and backend. I've had split secure databases before where I have been able to query via excel, but for some reason, this one won't let me. ...

Is PHP secure while PHP code is exposed on the hosting server?
Java is compiled before loading it on a hosting server. Erwin Moller wrote: > Java is compiled before loading it on a hosting server. You usually also keep you databases there (regardless of what programing language it is), so you better worry about that. Also, you can encrypt your code with ionCube or other encoders. It's secure. What is it with all those questions mr. Erwin ? Making some kind of statistics ? best regards Piotr N Piotr wrote: > Erwin Moller wrote: >> Java is compiled before loading it on a hosting server. > > You usually also keep you databases there (regardless of what programing > language it is), so you better worry about that. > Also, you can encrypt your code with ionCube or other encoders. It's > secure. > > What is it with all those questions mr. Erwin ? > Making some kind of statistics ? > > best regards > Piotr N > No, it's a Chinese troll wanting us to think it's Erwin. -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ================== Jerry Stuckle wrote: > Piotr wrote: >> Erwin Moller wrote: >>> Java is compiled before loading it on a hosting server. >> >> You usually also keep you databases there (regardless of what >> programing language it is), so you better worry about that. >> Also, you can encrypt your code with ionCube or other enco...

Securing a split database without user level security
Hi ! I split a simple Access2K database ( shared on network )and placed the files thusly : x:\app\frontend.mdb x:\app\back\backend.mdb Problem : I once read an article that laid out a "permission" scheme that , while not perfect, was effective at providing some protection ( from outright deletion for example ). This scheme had one assign certain permissions to the mdb's and other permissions for the folders where they reside. Can anyone help on this issue ? I am not able to locate the original article nor recall it's details. Andr� in Montr�al sosandre@hotmail.com (Andy) wrote in message news:<50cf9e6a.0405180939.47d147eb@posting.google.com>... > Hi ! > I split a simple Access2K database ( shared on network )and placed > the files thusly : > > x:\app\frontend.mdb > > x:\app\back\backend.mdb > > Problem : > I once read an article that laid out a "permission" scheme that , > while not perfect, was effective at providing some protection ( from > outright deletion for example ). This scheme had one assign certain > permissions to the mdb's and other permissions for the folders where > they reside. > > Can anyone help on this issue ? > I am not able to locate the original article nor recall it's details. > > Andr� in Montr�al Why don't you want to implement User-level security? It's not that hard and is very effective. Andy wrote: > Hi ! > I split a si...

Security aspects on multiple databases VS Single databases
Hi to all, I am currently working on a project were I have to create a reservation system for a web conferencing service. I am about to chose between a multiple and a single database schema. That is each company that uses the reservation system service, either is stored in a separate database or in a single big one. Can anyone tell me -which approach is better regarding security reasons? -Which approach is better regarding data-mining? -Any other advatnages, dissadvantages except those listed allready in the group for "multiple vs single databases". Any responce will be apreciated. Thanks in advance. ...

Oracle DataBase and Applications Security Baseline or Security Checklist
Is there anybody out there with a Oracle DataBase 8.1.7 and Applications 11.5.8 Security Baseline or Security Checklist. Where can I get one???? Thanks in advance David In article <2lrn7tFfl47qU13@uni-berlin.de>, Dave Mendez <dhmendez@mail.cinvestav.mx> writes >Is there anybody out there with a Oracle DataBase 8.1.7 and Applications >11.5.8 Security Baseline or Security Checklist. Where can I get one???? >Thanks in advance >David > Hi, go to my website http://www.petefinnigan.com/orasec.htm - there is a section entitled "checklists" on that page - there are links to two good Oracle security check lists on there. These are database specific. If you want stuff on applications then try www.integrigy.com - Stephen Kost knows a lot about Oracle applications security and has some papers on his site. hth kind regards Pete -- Pete Finnigan email:pete@petefinnigan.com Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. ...

a database, is a database, is a err database
How many times can we see the same request from someone who wants to access data from a 'pick' database through what has come to be 'standard' practices (odbc, oledb) and still get the same old sloppy ' buy this proprietary utility (and above all, my services)' answer. I think most of these pick flavors should have some sort of layer (by now!) to handle this; If someone needs to do this, the service is really 'education' i.e to show them how. Lets cut the shit now and stop with this tired and silly BS and sad marketing schlock. Regards, -Jim Jim wrote: > How many times can we see the same request from someone who wants to > access data from a 'pick' database through what has come to be > 'standard' practices (odbc, oledb) > and still get the same old sloppy ' buy this proprietary utility (and > above all, my services)' answer. I think most of these pick flavors > should have some sort of layer (by now!) to handle this; If someone > needs to do this, the service is really 'education' i.e to show them > how. Lets cut the shit now and stop with this tired and silly BS and > sad marketing schlock. > > Regards, > > -Jim Jim who? I wonder? What is this? An attack on capitalism? Providing services for those who perhaps lack the time, skill, or knowledge to perform such tasks is hardly a crime. Maybe "standard" odbc and...

How secure is the security from my security form?
Hey, I have a question about how secure the following will be.... I want to have a login form that posts to itself, so when it loads it checks if there is a username and password on the query list. If there is not, it asks for one. If there is, it checks to see if the information is valid. If it is not valid, it deletes the attributes and calls itself again. If it is valid it sets a particular session variable to be some value and redirects to the next page. Every page from there on in will check to see if the session variable is set and if not will redirect back to the login page. Are ...

how secure is the security from my security form?
Hey, I have a question about how secure the following will be.... I want to have a login form that posts to itself, so when it loads it checks if there is a username and password on the query list. If there is not, it asks for one. If there is, it checks to see if the information is valid. If it is not valid, it deletes the attributes and calls itself again. If it is valid it sets a particular session variable to be some value and redirects to the next page. Every page from there on in will check to see if the session variable is set and if not will redirect back to the login page. Are there any security risks/holes that I should know about? Thanks in advance, Aaron PS I do have access to Tomcat, but have been unable to figure out how to set it up (this is my first time setting up security for a site) - so if anyone has any tips/links that information would be most appreciated. Thanks again. ...

about php lang
plz told me that what is the php lang., how does it works and where it used. mani <msb.jod@gmail.com> wrote: > plz told me that what is the php lang., how does it works and where it > used. There is a good explanation at http://lmgtfy.com/?q=php regards Henrik -- The address in the header is only to prevent spam. My real address is: hc3(at)poolhem.se Examples of addresses which go to spammers: root@localhost postmaster@localhost On 16 Jun 2009, mani <msb.jod@gmail.com> wrote: > plz told me that what is the php lang., how does it works and > where it used. Lulz. <http://www.google.com/> -- ~Curtis Anonymous (1984 IOCCC winner): int i;main(){for(;i["]<i;++i){--i;}"];read('-'-'-',i+++"hell\ o, world!\n",'/'/'/'));}read(j,i,p){write(j/p+p,i---j,i/i);} mani schreef: > plz told me that what is the php lang., how does it works and where it > used. http://en.wikipedia.org/wiki/Php Tip: If you want to learn something about a subject totally new to you, try wikipedia for a reasonable intro. Regards, Erwin Moller -- "There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult." -- C.A.R. Hoare ...

PHP Security
I am developing an online application and the last thing I need to get a handle on is security. This app is very heavy with forms. Business critical data will be entered via forms and inserted in to a database (mysql). I've google "php security" and from what I've read, I should: 1) Filter all form data by stripping all non-alpha/numeric characters out, 2) Have the database on a different server, 3) Use "POST" not "GET", 4) Turn global variables off. 5) Use sessions for logins Should this do it? Or do I need more precautions? Even with all this can I still get hacked? Thanks bob rjames.clarke@gmail.com wrote: > I am developing an online application and the last thing I need to get > a handle on is security. Not that I'm an expert, but you have this backwards. Security should be the FIRST, not last, thing you thing about. Your application's security is already doomed to be on the defensive: it's **much** harder to plug holes than it is to bulid walls. The only way to correct this is to re-write the whole thing from scratch. This is a truism: it's true of any language, not just PHP. > This app is very heavy with forms. Business critical data will be > entered via forms and inserted in to a database (mysql). > > I've google "php security" and from what I've read, I should: > > 1) Filter all form data by stripping all non-alpha/numeric characters > out, > ...

Database Security
I am trying to apply security to a database I have just finished. The application is split into a back end of tables and a front end of forms etc. I need some users to have access to forms based on some queries but not others. My question is do I run the security wizard in the back end DB or the front end? If I just do the front end I seem to have more control (Queries, individual forms etc) but what�s to stop some one just opening the back end DB. If I run the security wizard on the back end I can block access to tables but not queries or forms. If I ran it in both I feel both me and Access would get confused As you can probably guess it�s the first time I have applied security levels in a DB but I need to get it right first time. Thanks for any suggestions The point is you want to secure the application, so you must secure both front and backends. Access won't get confused... Some tips on Access security I put together for my Blog in May follow. -- Tony D'Ambra Web Site: aadconsulting.com Web Blog: accessextra.net Effective MS Access Security? Did you know that: 1. You can access the Start-Up properties (such as disabling the Shift key bypass) of an .mde through an .mdb and change each property 2. You can open an .mde with the Shift key, press Ctrl+G to open the Debug window, press F2 to open the Object Browser, and then search all the code modules and constants. 3. You can import all the form and report objects but not the code from an...

database security
hi all, i'm having a play & turned on database security on a test box, as we have found that accessing the database via ODBC from a linux box connects (and allows sql updates) without specifying a username/password! i now want to turn the database security off, but when I try (from PCC), I get an error : [Pervasive][ODBC Client Interface][LNA][Pervasive][ODBC Engine Interface][Data Record Manager]This database has no security so the command has no effect. I find this a bit odd, as there are users in the Users pane, users in the X$USer table, and the security tab on the properties of the database says "Database Security: Enabled". I get a similar error if I try and delete one of the users - "This database has no security so the command has no effect." Anyone got any ideas? thanks Dave :( no one got any clues for me ? Sounds like the DDF's might be bad. Try restoring them from a backup copy with the engine shut down (which should clear the security stuff out). You can try re-enabling security right away, but I'd recommend running the Check Database Wizard against the DDF's themselves first to be sure that the DDF's are properly defined. Goldstar Software Inc. Building on Btrieve(R) for the Future(SM) Bill Bach BillBach@goldstarsoftware.com http://www.goldstarsoftware.com *** Chicago: Pervasive.SQL Service & Support - November, 2005 *** *** Chicago: Pervasive DataExchange Class - Novem...

Security Issues
Am I the only person who finds Javascript's Security signatures ridiculous? My JavaScript browser (geocities.com/seanmhall2003/SeanSoft/launch.html) has been severly stripped of features, most importanty a refresh button. I am so mad because Javascript won't let me refresh a page from another frame if the other page is on another server. Is there a way to do that? On 1 Dec 2003 18:13:52 -0800, pianoman@reno.com (Dante) wrote: >Am I the only person who finds Javascript's Security signatures >ridiculous? My JavaScript browser >(geocities.com/seanmhall2003/SeanSoft/launch.h...

Web resources about - Database Security Issues - comp.lang.php

Database - Wikipedia, the free encyclopedia
A database is an organized collection of data . The data are typically organized to model aspects of reality in a way that supports processes ...

Database - Wikipedia, the free encyclopedia
... requiring information. For example, modelling the availability of rooms in hotels in a way that supports finding a hotel with vacancies. Database ...

Fearing no punishment, Denver cops abuse crime databases for personal gain
(credit: Noel Hidalgo ) Denver police officers performed searches on state and federal criminal justice databases that were not work-related ...

Open source database improves protection and performance
Most enterprises rely on databases in some form or another, but they can be vulnerable to attack from people looking to steal information. They ...

Seattle’s Tableau Software snaps up database-computing startup in Germany
Seattle’s Tableau Software has acquired HyPer, a database-computing startup that spun out of research at a university in Munich, Germany. As ...

Amazon Web Services Announces that over 1,000 Databases Have Migrated to AWS since January 1, 2016
Amazon Web Services, Inc. (AWS), today announced that the AWS Database Migration Service is now generally available.

Taiwan launches database on areas vulnerable to quake damage
BEIJING (AP) — Earthquake-prone Taiwan is launching a database to inform residents which areas might be susceptible to creating potentially catastrophic ...

Interior Dept Spent $15 Million On A Crime Database That Doesn’t Work
Interior Dept Spent $15 Million On A Crime Database That Doesn’t Work

Microsoft's SQL database software now runs on Linux
Remember when Steve Ballmer likened Linux to cancer, and the notion of Microsoft courting the open source crowd was virtually unimaginable? The ...

Crate Raises $4M for New Container Database Technology
The founder of Docker Inc. invests in new technology that provides a very different and very distributed way to build a container database.

Resources last updated: 3/24/2016 5:55:14 AM