Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.

Slides:

Advertisements

Similar presentations

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.

Advertisements

PHP 5 + MySQL 5 A Perfect 10. Adam Trachtenberg PHP 5 + MySQL 5 = A Perfect mysqli extension i is for improved! All new MySQL extension for PHP.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP and MySQL Database. Connecting to MySQL Note: you need to make sure that you have MySQL software properly installed on your computer before you attempt.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.

LCT2506 Internet 2 Further SQL Stored Procedures.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

PHP-MySQL By Jonathan Foss. PHP and MySQL Server Web Browser Apache PHP file PHP MySQL Client Recall the PHP architecture PHP can communicate with a MySQL.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.

1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.

What is MySQLi? Since the mid-90s, Mysql extension has served as the major bridge between PHP and MySQL. Although it has performed its duty quite well,

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Creating Dynamic Web Pages Using PHP and MySQL CS 320.

Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.

PHP and MySQL CS How Web Site Architectures Work  User’s browser sends HTTP request.  The request may be a form where the action is to call PHP.

Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Website Development with PHP and MySQL Saving Data.

Triggers and Stored Procedures in DB 1. Objectives Learn what triggers and stored procedures are Learn the benefits of using them Learn how DB2 implements.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Prof Frankl, Spring 2008CS Polytechnic University 1 Overview of Web database applications with PHP.

CHAPTER 9 PHP AND MYSQL. A POSSIBLE SITE CONFIGURATION Application Folder index.php includes (folder)header.phpfooter.phpstyle.cssmodel (folder)mysqli_connect.php.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.

WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Chapter 8 Manipulating MySQL Databases with PHP PHP Programming with MySQL 2 nd Edition.

JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.

CHAPTER 10 PHP MySQL Database

CSC 2720 Building Web Applications Accessing MySQL from PHP.

INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Error-based SQL Injection

World Wide Web has been created to share the text document across the world. In static web pages the requesting user has no ability to interact with the.

CS320 Web and Internet Programming Database Access with JDBC Chengyu Sun California State University, Los Angeles.

PHP is a server scripting language, and a powerful tool for making dynamic and interactive Web pages. PHP is a widely-used, free, and efficient alternative.

Web Systems & Technologies

Web Database Programming Using PHP

PDO Database Connections

PHP Built-In Functions

Database System Implementation CSE 507

Group 18: Chris Hood Brett Poche

Introduction to Dynamic Web Programming

CS320 Web and Internet Programming Database Access with JDBC

Web Database Programming Using PHP

Unix System Administration

Server-Side Application and Data Management IT IS 3105 (FALL 2009)

SQL INJECTION ATTACKS.

SQL Injection Attacks Many web servers have backing databases

Intro to PHP & Variables

Web Systems Development (CSC-215)

PHP: Security issues FdSc Module 109 Server side scripting and

Chapter 13 Security Methods Part 3.

Lecture 2 - SQL Injection

Accessing Your MySQL Database from the Web with PHP (Ch 11)

Web Programming Language

PHP Forms and Databases.

Presentation transcript:

Accessing Your MySQL Database from the Web with PHP (Ch 11) 1

Prepared statements – recommended for: Speeding up execution when the same query is performed a large number of times, with different data. Protecting against SQL injection attacks. Basic concept: A template of the query to execute is sent to MySQL Data (parameters) for the query is sent separately The query template can be used multiple times with different sets/lots of data Using Prepared Statements 2

Prepared statements in mysqli library The query string is not built on the fly, based on user-provided input! Instead, the query is parameterized When setting up the query, mark each piece of data that will be fed later into the query with ? – called placeholders $query = "insert into books values(?, ?, ?, ?)"; Create a statement resource suitable for preparing and executing an SQL query mysqli_stmt_resource mysqli_stmt_init ( mysqli_resource $db_link ) $stmt = mysqli_stmt_init($link); Using Prepared Statements 3

Prepared statements in mysqli library (cont) Prepare the statement bool mysqli_stmt_prepare ( mysqli_stmt_res $stmt, string $query ) Bind parameters = tell PHP which variables / values should be substituted for placeholders (?) when the query is executed bool mysqli_stmt_bind_param (mysqli_stmt_res $stmt, string $types, mixed &$var1 [, mixed &$... ]) The format string $types explains what are the types of the parameters passed to the query: s (string), i (integer), d (double) mysqli_stmt_bind_param($stmt, "sssd", $isbn, $author, $title, $price); Using Prepared Statements 4

Prepared statements in mysqli library (cont) Execute the statement bool mysqli_stmt_execute ( mysqli_stmt_res $stmt ) mysqli_stmt_execute($stmt); Check number of rows affected by INSERT/UPDATE/DELETE query int mysqli_stmt_affected_rows (mysqli_stmt_res $stmt) → -1 on error echo mysqli_stmt_affected_rows($stmt). " book inserted into the database."; Close statement bool mysqli_stmt_close ( mysqli_stmt_res $stmt ) Using Prepared Statements 5

newbook html html wbook_ps_html.pdf wbook_ps_html.pdf ert_book_ps_php.pdf ert_book_ps_php.pdf

Prepared statements = SQL queries, prewritten and precompiled at the DB server → only require variable inputs to execute. When sending a query the “normal” way: client (php script) passes the query as a string to the DB server DB server converts data back into the proper binary data type db engine parses the statement and looks for syntax errors db engine attempts to figure out the most efficient way to execute the statement => a query plan is created query is executed When using prepared statements: data are sent to the DB server in a native binary form => no data conversion, more efficient data transfer query is parsed only once, and the execution plan is cached (depends on what db server / version is used) security Prepared Statements - Advantages 7

Executing a prepared statement - steps: → ‘Pre-query’ is sent to the server for processing → The parsed syntax is checked for errors → An OK message is sent back to the client → Variables are then sent and processed → Results are sent back. For queries executed only once => longer to execute Repetitive, complicated queries => faster Prepared Statements - Limitations 8

Security with prepared statements SQL injection = an attack method consisting in passing/injecting a SQL query as an input, possibly via web pages, in hopes of gaining unauthorized access to a database / application. How: Ex: a login web page that collects a username and a password, creates an ad-hoc SQL query to the db to check if the user is valid. SQL Injection = send crafted user name and/or password input that will alter the SQL query and thus grant us something else. Solution: code to filter and sanitize input, use prepared statements Prepared Statements - security 9