stackoom
  简体   繁体   中英

PHP & MySQL secure web application - Whole web site as single index.php file yes or no?

 原文  2012-04-01 15:32:03       php/ mysql/ session/ procedure

Question

I am working on web application that will use PHP & MySQL. Application will process confidential data. I need to make it as secure as possible.

I dont want password for MySQL user that application is using to connect to database to be written in PHP file in clear text format(root account for example).

Because of that I made pseudo MySQL Role system with stored procedures. Users will login to application with their MySQL username and password. They will have privilege only to execute MySQL stored procedures but not SELECT, INSERT, UPDATE, DELETE privileges on tables that are used inside of stored procedures. Definer of stored procedures will be root account.

I have one problem with that. And that is: I dont want to store login form data ( password for examole) in session in clear text format. I cant transfer mysql connection resource object from one page to another using session.

I am thinking right now to make whole web application as one big index.php file. That way I will have MySQL connection resource allways available when I need it.

Are there batter ways to do this? Probably. I dont want to regret my choice after too much work wasted :).

Thank you in advance.

4 answers

solution1
 1  2012-04-01 15:53:01

You still have to save the username and password to session. but dont save password in clear text , use openssl_encrypt and openssl_decrypt with your own hash.

http://php.net/manual/en/function.openssl-encrypt.php

but this function appears from PHP 5.3.0 above

solution2
 1  2012-04-01 16:21:13

You should never need to store passwords in the session and there is no need to create individual MySQL users for each user of your application. These things don't make your application more secure and could actually make it less secure.

Here are some suggestions:

  • Create one MySQL user with only the necessary permissions to read the data you need.
  • Store the MySQL connection information in a PHP file that is outside the document root and include this file in your PHP files that need access to the database.
  • Create a table in the database to store user accounts and always hash their password before saving it to the table. You can use this table to authenticate your users when they sign in.
  • When the user signs in, simply store a flag in the session, like their user_id. This is enough to identify who they are and that they are signed in. If the value is not in the session, then they are not signed in.
  • You don't need to put everything in one PHP file. It's OK to have more than one file.

You may want to try using a framework, like Symfony, CodeIgniter, or CakePHP because they will have tutorials that can help you create a secure application. Keep in mind that security goes beyond just passwords. As Kishor points out, you also need to worry about XSS, SQL injection, CSRF, etc. A framework will really help you out with these things.

solution3
 0  2012-04-01 15:37:29

No, don't make your application one giant file.

Put your DB credentials in an include outside of the web root. Then, make sure only the users that need it can open it. That's how this is generally done.

solution4
 0 ACCPTED  2012-04-01 16:13:34

There exists a design pattern called Front Controller , basically what it does is the entire application is served through one page. You implement your own dispatcher and the dispatcher handles all the requests. Such as which object to instantiate or which page to include. This limits the security exploitation for unknown objects.

Also, for the Session hijacking you can implement your prevention mechanisms by monitoring and checking for

  1. User Agent
  2. Session regenerate id
  3. Tokens

The database part is fairly impressive but may add additional complexities if someone else has to extend, debug your application. You can use prepared statements or even a better alternative an ORM such as Doctrine or Data Objects .

The major security exploits are through XSS and CSRF for that you will have to implement token passing mechanism within your forms and check for " origin of request".

Lastly, i would like to point out there are various security exploits possible in an web application. To counter these exploits lots of good frameworks exist. These issues and vulnerabilities are pre-dealt there. You can consider on the bussiness logic and let someone else handle that for you. Contrary to popular belief using frameworks will actually steepen your growth over the architectures, security and requests.

Hope this help !! cheers !

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question making php web application secure Php - make secure web application How to Run a Whole site From index.php How to fix broken links wordpress web config rewrite index.php broke site links error 404 .htaccess -> index.php in web folder (url has to be web/) PHP: Is it secure to use index.php as the bootstrap? Why use a single index.php page for entire site? if file == index.php Creating a desktop chat application with a PHP/MySQL web site acting as the server How to debug a site move, for a PHP5/MySQL web application
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM