Dell Sala wrote:
Ken Wrote:
Applying security in the database renders you structurally immune
from SQL injection.
Can you elaborate on this? I'm always intrigued by your DB-centric slant.
Sure. The typical SQL injection example is where I put some command in
on an email form:
EMAIL: [EMAIL PROTECTED]'; create user ken password 'backdoor';
In SQL Injection, the user accesses some table they are not supposed to
access. This can only be done if the application connects to the
database as some generic user, where that generic user can do anything
it wants.
To eliminate all possibility of SQL Injection, you must connect to the
database with a user whose privileges in the database are limited. The
trick then is to work out who the users are and how their privileges are
assigned.
Database security works basically by denying or granting access to
tables. The four fundamental functions of INSERT, UPDATE, DELETE and
SELECT can be denied or granted to any user, group, or combination of
users and groups. An extremely important point here is that this is the
simplest way to do security on a database app, because /every other
method must resolve down to this method in the end./ So any method that
begins with other ideas has more work to do.
So security becomes part of the database design process:
1) In the database, DENY ALL to all tables for all users.
2) Define different security groups, also known these days as *roles*.
3) GRANT select,update,insert,delete privileges to these different
groups/roles as needs require.
4) Create actual users and assign them into appropriate groups.
If you want to go all the way, you actually create database users for
every user of your system (that's what we do), and when they connect to
the website we connect them to the database with their own credentials,
this gives us a situation where:
1) SQL Injection does not let them do anything they can't do anyway, so
at most it is a waste of the hacker's time
2) Our user interface design focuses on the idea that they should see
everything they can do, and everything they can see they can do. Again,
SQL Injection only gives them a really crude way to do something that's
probably on the menu!
Hope this helps get you started!
-- Dell
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
