Reputation: 704
How can I use PHP to make secure calls to MySQL Databases?
I recently started coding another website, the first one in 5 years. Before I was very familiar with using PHP/Javascript to code a website and its layout. Very seldom did I use it for user accounts(if so I had a friend code it), I only used it to store data for products for layout purposes.
At the moment, I will not be using SSL until I purchase a certificate.
So now i will use PHP to keep names, emails, addresses, phone numbers, etc. all stored on a database. I looked through hundreds of documentation and found nothing that is easy for me to understand since I barely remember anything but simple coding.
I did find a few step by step tutorials on making SQL injections and such but they date back to 2005. I'm looking for something much more recent.
Ideally, all I'm looking for is a great place to start (without starting a beginner php) to making a website secure with php when usling MySQL. For instance, password encryptions and such; along with calling and injecting to the database.
Thanks in advance.
EDIT
Thank you guys, I've been busy with work and I waited for an answer that will suffice. I didn't get quite what I asked for; probably my fault, however. I looked at proper documentation, but always just throw operators and little functions just like javascript in my face. I'm past that, I want unique functions that have a purpose and I'm unaware where to get those. they seem to be way too complex for me or just far too simple.
I thought about using openSSL but if I do recall I need to install it, that won't happen for the cheap hosting my client pays for. I told my client I was only familiar with this stuff and its best to go else where other than design, he didn't care how long it took. so now I have to learn this all over again quickly.
Upvotes: 0
Views: 735
Answers (2)
Reputation: 174485
- Secure backend connections:
If you want to secure the connection from a web server to the database server, you could use openssl to generate an SSL certificate and set up secure connections with theMYSQL_CLIENT_SSLflag inmysql_connect()like in this article - Sanitize input:
To prevent SQL injections, make sure that the input you use in queries, is actually the input you would expect, either through input validation based on input types, or by escaping metacharacters, like withmysql_real_escape_string() - Password Hashing:
Something as simple as one-way hashing, for example withSHA-1, can help you store user passwords in a more safe manner. Store password hashes, and then compare the stored hash with a hash of the password input during authentication.
Upvotes: 2
Reputation: 324630
Prepared statements will pretty much completely protect you from SQL injection.
However I find they're a pain in the rear end to implement when all you really have to do is put the input through mysql_real_escape_string and make sure it's in quotes in the query so the would-be-hacker can't break out of the string.
Upvotes: 2
Related Questions
- Securely Connected to MySQL DB via PHP
- Secure way to connect to a MySQL database
- Making a secure connection to a SQL database in php
- How can I better secure my database connection
- mysql/php is this a secure way to connect to mysql DB?
- Secure MYSQL connection details
- Securing php to database comms
- How to establish a secure connection with MySQL/PHP
- A secure PHP class connecting to MySQL?
- Creating a Secure Connection to a Server using PHP