tags:

views:

115

answers:

4
Q: 

Database / PHP security question

Hello,

We are developing a very simple first stage GUI for a company database. At the moment our time to deliver is rather limited. So we thought about using a simple SQL stored procedure and retrieve all data. The data the users are allowed to see is depending on security levels defined in the database and also in our Active Directory. So after fetching all the data, the GUI displays only what the user has access to view / edit.

My question is if there are any remarkable security issues with this aproach? It should also be noted that both the webinterface and the database are located in our intranet.

Our backend uses W2K3, IIS, PHP 5, SQL 2005

Any feedback would be greatly appreciated

Jonas

+1  A: 

Don't put an outward facing web server on your internal network. Seriously. Put it in a DMZ.

As far as your data is concerned, will you be filtering based on user access before or after the data hits the web front end? I'd suggest doing it in the proc.

Also, if you can, I'd suggest putting your DB on a separate box as well, for added security.

Randolph Potter  2009-09-16 09:11:22
+3  A: 

Considering the time to deliver (about 1month), it should be rather ok.

First thing: since it is in intranet only, your site should be rather secured since outside world cannot be accessing your site.

secondly, XSS and cross site request forgery should be disabled no matter what.

next, SQL injection.

with these few things in mind, the application should be basically secured.

thephpdeveloper  2009-09-16 09:13:00
Thanks, good to hear.Also to Randolph: I'm sorry if I was unclear. The webserver is not facing outwards, it's accecible only within our network. The question was if it was a major security issue to fetch all requested data from the proper database table, and then use the GUI to filter what's displayed depending on security level.
Jonas B  2009-09-16 09:17:53
Jonas, no problem. I worry about security, especially after reading how some of the big boys are doing it. Since it's internal, you should be fine. I'm giving Mauris +1 for this answer too.
Randolph Potter  2009-09-16 09:23:01
Thanks for the reply Randolph. I hope we will. I feel a bit more comfortable after reading your answers, mainly because it also reminds me of issues to think about preventing which is always good.
Jonas B  2009-09-16 09:30:37
A: 

It is a sound enough approach. This way the data the user is not allowed to see remains in the database.

APC  2009-09-16 09:13:42
A: 

"So after fetching all the data, the GUI displays only what the user has access to view / edit."

A frequent mistake when dealing with access control on websites is implementing them for the data fetching scenario but not the data writing scenario. This is often the result of the assumption "the user will only send us editing requests on resources that we told her she could edit". Unfortunately...

As I coudln't spot this in your question's content, I'd just recommend making sure you effectively dealt with access control when building the GUI but also when receiving data modification requests.

If we consider the following scenario:

  1. The user fetches data she has legitimate access to.
  2. The user requests edition of that said data. Let's imagine an edition form is now displayed.
  3. The user submits the form with the changes.
  4. Before leaving her machine, the user intercepts the HTTP request and replaces the identifier of the edited resource by another identifier, to which she shouldn't have access.

Does your model ensure that when receiving the editing request, the access control rules are also applied? From a SQL-like scenario, this would translate to asking whether you're using a request template such as the first one below or the second one below:

1) "UPDATE ... WHERE ID = x"

2) "UPDATE ... WHERE ID = x AND (SELECT ... FROM ... WHERE userID = y)"

If your model is more likely to be the first, then you might have an authorization model issue. Else, it should be okay.

Hope it helps.

sb.

Starbuck  2009-09-17 13:18:58
Hello,Yes we have a very strict policy when it comes to who has the right to edit certain fields, so this is something we'll be very careful with.Thanks a bunch for your input on this matter!
Jonas B  2009-09-17 17:03:47
Oh and to clear it up a bit further, if a user says he wants to edit a certain field, the server side will check to make sure he has the right to do so before sending the update query. So form manipulation and such would never work because the validation is not on the client side.
Jonas B  2009-09-17 17:06:42

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases