NYCPHP Meetup

NYPHP.org

[nycphp-talk] Not-so-subtle attack on PHP

Kenneth Downs ken at secdat.com
Thu Sep 27 07:21:37 EDT 2007 

Dell Sala wrote:
> Ken Wrote:
>
>> Applying security in the database renders you structurally immune 
>> from SQL injection.
>
> Can you elaborate on this? I'm always intrigued by your DB-centric slant.
>

Sure.  The typical SQL injection example is where I put some command in 
on an email form:

EMAIL:  ken at secdat.com'; create user ken password 'backdoor';

In SQL Injection, the user accesses some table they are not supposed to 
access.  This can only be done if the application connects to the 
database as some generic user, where that generic user can do anything 
it wants.

To eliminate all possibility of SQL Injection, you must connect to the 
database with a user whose privileges in the database are limited.  The 
trick then is to work out who the users are and how their privileges are 
assigned.

Database security works basically by denying or granting access to 
tables.  The four fundamental functions of INSERT, UPDATE, DELETE and 
SELECT can be denied or granted to any user, group, or combination of 
users and groups.  An extremely important point here is that this is the 
simplest way to do security on a database app, because /every other 
method must resolve down to this method in the end./  So any method that 
begins with other ideas has more work to do.

So security becomes part of the database design process:

1) In the database, DENY ALL to all tables for all users.
2) Define different security groups, also known these days as *roles*.
3) GRANT select,update,insert,delete privileges to these different 
groups/roles as needs require.
4) Create actual users and assign them into appropriate groups.

If you want to go all the way, you actually create database users for 
every user of your system (that's what we do), and when they connect to 
the website we connect them to the database with their own credentials, 
this gives us a situation where:

1) SQL Injection does not let them do anything they can't do anyway, so 
at most it is a waste of the hacker's time
2) Our user interface design focuses on the idea that they should see 
everything they can do, and everything they can see they can do.  Again, 
SQL Injection only gives them a really crude way to do something that's 
probably on the menu!

Hope this helps get you started!

>
> -- Dell
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070927/b4bc3287/attachment.html>

More information about the talk mailing list