tags:

views:

75

answers:

1
+1  Q: 

Write Mysql tables to XML : Security Issue

I want to make a news portal(php) with minimum mysql force. :create a cron, fetch data from mysql and write to a php file . (I dont know is it right way) But Can I use xml instead of php file? Write mysql data to xml. Is this a secure way? What is the best way? XML or php file?

alt text

Thanks in advance

+1  A: 

Let me start of by saying that MySQL is very fast and very secure. I recommend building the pages with MySQL upon request, most web applications do this because its a very good approach. To save resources you can cache the output using a Squid Reverse Proxy, and it is very common to see this on high traffic sites. PHP's APC will also reduce resource consumption without sacrificing secuirty. Smarty's Caching system is also a good approach with minimal security impact.

There are secuirty concerns regardless of what method you choose, but some approaches more hazardous than others. For instance creating .php files with user input is probably the most dangerous thing you can attempt to do with a php web app. 

$page='$title="'.$_GET['user_title'].'"';
file_put_contents("/var/www/page.php",$page);

An attack against this code would look like this:

http://localhost/page_creater.php?user_title='; eval($_GET[backdoor]); /*

Creating XML files with user input is also dangerous because it opens the door for Advanced LFI Attacks. However, the counter argument is that as long as your application is free from Local File Include vulnerabilities, then you shouldn't have to worry. But this is not a "Defense in-depth" design, because you should plan on failure.

Its possible to implement something like Squid's reverse proxy in php using ob_start(), however your still creating files with attacker controlled data, and that is hazardous. Also don't include() .html files that's incredibly stupid (See advanced LFI attacks...), a better approach is this: print(file_get_contents($file)). I do like using .html files over using .xml files because html doesn't have to be processed before outputting it to the user. Using xml files as a data storage is wasteful of resources when compared to MySQL.

(Disclaimer: Vulnerabilities have been found in Smarty and squid, and php, and linux, and mysql and apache and.... everything else, even StackOverflow ;)

Rook  2010-05-28 21:15:26

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases