Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.

Slides:

Advertisements

Similar presentations

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.

Advertisements

Web Security Never, ever, trust user inputs Supankar.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

Introduction The concept of “SQL Injection”

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

PHP and MySQL. Why Use a Database  Easy access to data  Simultaneous access by multiple users is handled properly  Security - easy to control access.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Application Development Description and exemplification of server-side scripting language for server connection, database selection, execution of SQL queries.

Lecture 6 – Form processing (Part 1) SFDV3011 – Advanced Web Development 1.

© Yanbu University College YANBU UNIVERSITY COLLEGE Management Science Department © Yanbu University College Module 6:WEB SERVER AND SERVER SIDE SCRPTING,

Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 

MySQL in PHP – Page 1 of 17CSCI 2910 – Client/Server-Side Programming CSCI 2910 Client/Server-Side Programming Topic: MySQL in PHP Reading: Williams &

Create an online booking system (login/registration)

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

MySQL + PHP.  Introduction Before you actually start building your database scripts, you must have a database to place information into and read it from.

1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

NMED 3850 A Advanced Online Design January 26, 2010 V. Mahadevan.

PHP meets MySQL.

_______________________________________________________________________________________________________________ PHP Bible, 2 nd Edition1  Wiley and the.

Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.

Chapter 6 PHP Interacts with Mysql Database. Introduction In PHP, there is no consolidated interface. Instead, a set of library functions are provided.

MySQL Databases & PHP Integration Using PHP to write data to, and retrieve data from, a MySQL database.

PHP and MySQL CS How Web Site Architectures Work  User’s browser sends HTTP request.  The request may be a form where the action is to call PHP.

1. Connecting database from PHP 2. Sending query 3. Fetching data 4. Persistent connections 5. Best practices.

Database Access with PHP and MySQL CS356 Examples from Web Database Applications, by Hugh E. Williams & David Lane, O'Reilly, 2002.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.

CHAPTER 9 PHP AND MYSQL. A POSSIBLE SITE CONFIGURATION Application Folder index.php includes (folder)header.phpfooter.phpstyle.cssmodel (folder)mysqli_connect.php.

Creating PHPs to Insert, Update, and Delete Data CS 320.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting PHP & MySQL.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

2010/11 : [1]PHP with MySQLBuilding Web Applications using MySQL and PHP (W1) PHP with MySQL.

Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.

NMD202 Web Scripting Week5. What we will cover today PHP & MySQL Displaying Dynamic Pages Exercises Modifying Data PHP Exercises Assignment 1.

WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.

PHP and SQL Server: Connection IST2101. Typical web application interaction (php, jsp…) database drivers 2IST210.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Form Handling IDIA 618 Fall 2014 Bridget M. Blodgett.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Chapter 8 Manipulating MySQL Databases with PHP PHP Programming with MySQL 2 nd Edition.

CSC 2720 Building Web Applications Accessing MySQL from PHP.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Preventing MySQL Injection Sonja Parson COSC 5010 Security Presentation April 26, 2005.

Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

PHP and SQL Server: Connection IST 210: Organization of Data IST2101.

PHP is a server scripting language, and a powerful tool for making dynamic and interactive Web pages. PHP is a widely-used, free, and efficient alternative.

Web Systems & Technologies

PHP (Session 2) INFO 257 Supplement.

Group 18: Chris Hood Brett Poche

Introduction to Dynamic Web Programming

CIIT-Human Computer Interaction-CSC456-Fall-2015-Mr

Server-Side Application and Data Management IT IS 3105 (FALL 2009)

Introduction to Web programming

Database Driven Websites

Perl Database – Just Enough

ISC440: Web Programming 2 Server-side Scripting PHP 3

Web Systems Development (CSC-215)

PHP: Security issues FdSc Module 109 Server side scripting and

Lecture 2 - SQL Injection

MySQL Web Application Connecting to a MySQL database

PHP Forms and Databases.

Database Access with PHP and MySQL

Introduction to Web programming

Presentation transcript:

Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett

Querying You Database MySQL isn’t picky about what accesses it so long as it provides a valid username and password The process plays out the same as it would with a console or other application: – Connect to MySQL. – Select the database to use. – Build a query string. – Perform the query. – Retrieve the results and output it to a web page. – Repeat Steps 3 to 5 until all desired data have been retrieved. – Disconnect from MySQL.

Login File It is possible to connect to MySQL in each PHP file that requires a database query – But this isn’t the most secure method Making one file that does all you connecting works much better – This file is then included in any other file that must connect The information may need to be altered based upon how your servers are set up

Login File The important thing is to keep the login information within tags (ideally on a page with no HTML markup at all) – If these aren’t between the php tags then your login information may be accessible as HTML if someone loads the page Much like functions this also makes updates easier

Connecting to MySQL Any file that needs MySQL can now include the login.php file as a require_once mysqli is a PHP object and requires four pieces of information: server location, username password, and database You want to check if a FALSE is returned which signifies that it failed to connect – Die is a way to show there was an error and pass along the code

Building and Executing a Query There is a built in query function in PHP making it simple to query MySQL – As long as you pass this a well formed query This function can only be used to send complete queries, not partial ones The results of the query are placed in the $results variable

Fetching A Result The returned results are a resource not plaintext or a string – It is possible to call individual cells that are wanted for the results However this can require a lot of calls to the results – fetch_assoc() can be more efficient – This works by putting each cell in the row into an array labeled with the column name

Closing a Connection You never want to leave a connection hanging open it uses up valuable resources If you keep opening connections on your pages and not closing them you risk crashing your server(s) close() function does this effectively for connections free() works on results from a query

Integrating PHP and MySQL The basic queries can be combined or sub- nested to perform multiple queries in nested PHP Always make sure to clean up any user input to prevent SQL injection errors – There are many types of escape characters that can execute – Using mysql_real_escape_string() can prevent this problem

Placeholders One way to make a secure code without using the real escape string Predefine a query using ? characters then pass the user generated data to it – This avoids generating queries and directly inserts the information into the database How can we alter the book example from earlier to make use of this?

HTML Injection Much like SQL injections having open forms also allows attacks against HTML and JavaScript htmlentities function strips out any HTML markup and replaces them with the more harmless display codes – <script src=' </script><script>hack();</sc ript>