CODEWITHSUNDEEP
phpmysqlserverxampplocalhost
Bret.burrill
Bret.burrill

Reputation: 41

Set up mySql server and Xampp now need to understand basic security

Again, I am asking the most basic of questions...

By some miracle I got mySql server installed and used the Workbench app to create my first table. In a week I have learned enough PHP to make an app that is so vulnerable I am throwing it away and starting over. I want to move development to my local machine so I just got Xampp running and used it to start mySql server with no trouble. How is it possible that I started the server without entering credentials? I set up mySql Server passwords using Workbench. I have not used the command line with the server yet. I opened localhost using chrome and it showed an IP address. What do I need to do next with regard to basic security? Thank you for taking the time to read this.

Upvotes: 0

Views: 283

Answers (2)

sam
sam

Reputation: 2984

The basics

Let's understand how PHP works; when you write PHP code, meaning code that lives within <?php ... ?>, it will be executed on the server, in this case your XAMPP instance.

This means that whenever a user comes to the website, he/she will not be able to actually see the code that you wrote, rather, they will see the render of that code.

The render would be anything after echo, print_r, var_dump, or outside of your PHP brackets.

When connecting to your database there are certain steps you can take to secure it, however, it's really not necessary. Look no further than Laravel's Eloquent system. Your actual database info is stored completely within your .env file.

Examples

Now, when developing with security in mind you do have to be careful, there are important rules to keep in mind:

  1. Always filter user input

This one should be a given; but day-in-and-out a new website gets hacked because inputs were not filtered properly allowing anyone to inject code into a script - whether at the SQL instance or the front-end JavaScript code.

One great way is to always cast what you are actually looking for; PHP is a weak type language. This means that '1' == 1. ('1' is a string, and 1 is an integer)

One way to bypass this is by casting types when dealing with user input. Know what you need in your database. Whether a string, an integer, or a boolean. This will allow you to be certain the database request is only made with the proper types.

For example:

$var = (integer) 'Hello';
var_dump($var); // returns `int(0)`
  1. Used prepared statements

They are not that hard, and they are very basic when it comes to security - that's one of the best ways to use data from the user without directly inserting it into one of your SQL queries.

An example of a really bad query:

$sql = 'SELECT * FROM users WHERE id = ' . $id;
$query = $connection->query($sql);

What you should opt to do is:

$sql = 'SELECT * FROM users WHERE id = ?';
$stmt = $connection->prepare($sql);
$stmt->bind_param('i', $id);
$stmt->execute();

Please, read more here.

Final Thoughts

You seem to be still new to programming. It's good you are concerned with safety as it's one of the most important pillars of a great Web Application. However, my ultimate recommendation is for you to begin with the basics. Learn the culture of PHP, know and understand how PHP works, then when it comes to security you will be able to achieve a lot more.

Along with PHP learn about Apache, and how requests are made, thoroughly understand HTTP Requests, and that will give you a greater understanding of what all has to go into consideration when building a safe app. You may have the greatest PHP code in the world, but if your HTTP protocols are not using SSL then any request going to your server is in plaintext for the whole world to see.

Upvotes: 2

bcperth
bcperth

Reputation: 2291

How is it possible that I started the server without entering credentials?

The server is just an executable program like any other and is subject to the security measured provided by your operating system file system. Most systems classify users into groups such as user or admin, and people belonging to each group have different privileges, with admin having more privileges. So you need to set up, on the computer where your server is running, who is allowed and not to start the server. Typically users/groups can be configured "no access", "read access", "write access" or "execute access" or some meaningful combination of these. You need to read up about this.

What do I need to do next with regard to basic security?

Your SQL server if configured properly will allow or reject connections from users as you have already configured. This will help a lot assuming is configured properly, but you need to test by logging in as different users or varying your connection string in PHP.

With regard to PHP and SQL, its real easy to be vulnerable "SQL Injection" attacks. This can happen when users enter executable SQL statements into forms. You can avoid this by ALWAYS USING PREPARED STATEMENTS - and I deliberately shout this! If you don't know "prepared SQL statements" then read up, but all it means (simplistically) is that you send template SQL statements to the SQL server in one command, and send the search parameters in a later one. This blocks the Injection attacks, so that your PHP script never executes a full SQL statement entered in a form.

I suggest get these things done as a start and then tighten up further based on your specific needs.

Upvotes: 1

Related Questions