0

I am creating an app that needs to connect to a MySQL database and do various things. I have created PhP scripts to do all the server-side stuff for me, like connecting to the database and doing CRUD operations. The PhP script will then echo out the results, which is stored in a String in my code for further handling.

However, i am concerned with security. My PhP scripts are open for everyone to use. For instance: "http://mySite.php?value1=test&value2=test" could be such a script, and what it could do was insert the values in the GET part of the URL into my database.

I know for a fact this isn't safe, but i don't know what to do? The thing is, the PhP script are not linked to/from any where, they are just used in my code only. What i mean by that, is that it is PhP code created to work specifically with my application, so i only ever run them by sending an HTTP request from within the app itself, and i never just run into my browser and type in the address (however, someone else could), which is why i don't think it is very safe.

Any ideas / good suggestions in order to make my scripts safe?

EDIT Here is an example of my code, which i would like to make safe:

$orderGrill = $_GET["getOrder"];
    $query = "INSERT INTO grillOrders (`order`, `orderNumber`) VALUES ('{$orderGrill}', {$orderNumber})";

There you can see, how i am just directly using the GET values. But how should i make them safe? I can't use forms since i am running this script from an iPhone app "behind the scenes", so the user can't see the forms.

Thank you

Seerex
  • 591
  • 1
  • 9
  • 21
  • What is it you think is not safe? Are you worried about SQL injection? – Hans Mar 08 '14 at 15:43
  • Show portion of your code relevant to the question and we will tell you if it is safe or not ;) – Prix Mar 08 '14 at 15:44
  • Get and Post aren't unsafe, but You should filter each value. – ajtamwojtek Mar 08 '14 at 15:47
  • 1
    Correcting what @jakon said, GET and POST are 100% unsafe because they contain an INPUT which can be manipulated by the USER so its the developer job to properly sanitize and make sure of what you're receiving is what you expect. – Prix Mar 08 '14 at 15:49
  • I added a piece of code showing what i am doing, and what i want to be safe, which i guess it aint :P – Seerex Mar 08 '14 at 16:29
  • @Seerex definitively not safe if the `GET` input was `'; DROP grillOrders; --` your table would have been deleted and all data lost and that is just one example the SQL Injection can be used in several different ways like to gain access on a system and others. I will recommend you to stop using the deprecated `mysql_*` and move to either MySQLi or PDO with prepared statement. – Prix Mar 08 '14 at 20:46

2 Answers2

1

I really suggest you this one on the php.net manual, it's quite valuable. Prepared statements and filtering.

sunshinejr
  • 4,834
  • 2
  • 22
  • 32
0

Use Mysqli or PDO with prepared statements to protect the database. Use htmlentities to protect against xss attacks. Check the manual for more info.

Matthew Johnson
  • 4,875
  • 2
  • 38
  • 51