1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How Do You Protect Your Database?

Discussion in 'Databases' started by Masterful, Oct 9, 2013.

  1. #1
    I have a webform on my site. It allows people to submit information to my database. At the moment, the webform has no protection.

    What kind of security measures should I have in place to protect my database?

    Are bad bots the only risk these days?

    I use mysql_real_escape_string($_POST['']) to escape special characters, and I use trim($string) to trim whitespace from the beginning and end of every string. Should I be using any other PHP functions to protect my database?

    Any advice will be much appreciated.
    Masterful, Oct 9, 2013 IP
  2. N0K

    N0K Greenhorn

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    11
    #2
    Hi,
    You can check if the input is a string or number.

    Regards.
    N0K, Oct 9, 2013 IP
  3. forexforex70

    forexforex70 Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #3
    Hello I provide database with full details: name, email, phone, country, Majority are forex datas. Please contact if someone is interested in buying.
    forexforex70, Oct 29, 2013 IP
  4. jscg

    jscg Active Member

    Messages:
    155
    Likes Received:
    5
    Best Answers:
    3
    Trophy Points:
    98
    #4
    Take your time and read this one: http://simon.net.nz/articles/protecting-mysql-sql-injection-attacks-using-php/
    jscg, Oct 29, 2013 IP
    Masterful likes this.
  5. arshiabhardwaj21191

    arshiabhardwaj21191 Greenhorn

    Messages:
    22
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    23
    #5
    SafeNet ProtectDB software delivers powerful database encryption and database protection for the sensitive corporate and customer information stored in databases in the data center and the cloud. With ProtectDB, organizations have the flexibility to encrypt data at multiple levels and during multiple processes. Centralized key management provided with the integrated SafeNet DataSecure solution helps tighten security and simplifies the encryption of data in virtually any number of databases across heterogeneous environments often found in data centers or virtualized environments. Working together, ProtectDB with DataSecure help organizations attain the highest level of security available in a commercial database encryption solution.
    arshiabhardwaj21191, Oct 29, 2013 IP
  6. coolrohit222002

    coolrohit222002 Active Member

    Messages:
    504
    Likes Received:
    13
    Best Answers:
    3
    Trophy Points:
    90
    #6
    There is no such thing as 100% protection.
    The best thing you could do is to take a "REGULAR BACKUP" of your database.
    If you can do it everyday, then thats good.
    So if everything goes wrong. you can just recover it back.
    coolrohit222002, Oct 30, 2013 IP
    Masterful likes this.
  7. superuser101

    superuser101 Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #7
    Prevent SQL injections and install recaptcha or similar..
    superuser101, Oct 31, 2013 IP
  8. jscg

    jscg Active Member

    Messages:
    155
    Likes Received:
    5
    Best Answers:
    3
    Trophy Points:
    98
    #8
    And how do you think reCaptcha will help him to secure database ?
    jscg, Oct 31, 2013 IP
  9. superuser101

    superuser101 Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #9
    there's softwares that hackes dozens of websites automatically..at least they won't overload the db engin with thousand of useless queries when the captha is on.
    superuser101, Nov 2, 2013 IP
  10. pmf123

    pmf123 Active Member

    Messages:
    287
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    88
    #10
    Take a look at this also:
    http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
    pmf123, Nov 20, 2013 IP
  11. djjmz

    djjmz Active Member

    Messages:
    57
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    68
    Digital Goods:
    4
    #11
    first check what is typing, when remove all special characters.
    djjmz, Nov 20, 2013 IP
  12. pmf123

    pmf123 Active Member

    Messages:
    287
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    88
    #12
    I believe mysql_real_escape_string($_POST['']) takes care of most of that
    pmf123, Nov 20, 2013 IP
  13. djjmz

    djjmz Active Member

    Messages:
    57
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    68
    Digital Goods:
    4
    #13
    for input when enter text i use this
    PHP:
    1. preg_replace("/[^a-zA-Z0-9]/","",$_POST['text']);
    for number which is integer use this
    Code (Text):
    1. (int)$_POST['number']
    . is a lot of way how to build safe website, use google.
    djjmz, Nov 20, 2013 IP
  14. PoPSiCLe

    PoPSiCLe Well-Known Member

    Messages:
    1,219
    Likes Received:
    109
    Best Answers:
    51
    Trophy Points:
    160
    #14
    First way to protect your db is to get rid of mysql_ and start using mysqli_ or preferably PDO. With proper, prepared statements.

    And of course, sanitize, sanitize, sanitize. Never trust anything a user inputs.
    PoPSiCLe, Nov 23, 2013 IP
  15. dxter

    dxter Greenhorn

    Messages:
    26
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    11
    #15
    This is not enough. Use papered statements and parametrized queries.
    dxter, Nov 25, 2013 IP
  16. Jigney

    Jigney Active Member

    Messages:
    149
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    68
    #16
    Hey coolrohit222002,

    I agree with you, Backup is most impotent when you are working on database so take day by day backup of your database and make it safe because in any case, if your database or data are removed that time your old backup will help you to recover it so as per coolrohit222002, Take "REGULAR BACKUP" of your database and make it safe yourself work.

    Jigney, May 22, 2014 IP
  17. mikejwatson

    mikejwatson Greenhorn

    Messages:
    14
    Likes Received:
    0
    Best Answers:
    1
    Trophy Points:
    13
    #17
    A good Backup procedure is of course important. I tend to set up a cron job, which can often be done in a web hosting control panel, such as Plesk. Cron is often referred to as "Scheduled Tasks". With cron you can run a mysql_dump on the database, e,g, every hour or 12 hours - the frequency is up to you.

    In the same way, it's also possible to get the web server to run a php script to email the backup to you. I get this emailed to my gmail account, and then I use a filter to automatically place the emailed, zipped, backup in a folder within Gmail. Since Gmail gives me 30GB space, it takes a long time to fill up!

    Preventing SQL Injection: The important thing to remember is to filter all of the data inputted by the user. So for example, some typical fields you'd want to make sure you filter are:

    $_GET['email']
    $_GET['firstname']
    $_GET['message'] (or their $_POST equivalents)

    Here's some PHP code for validating a submitted field:

    $message_filtered = filter_var($_GET['message'], FILTER_SANITIZE_STRING);

    Filtering will also help prevent Cross-site-scripting XSS threats. Check out this page for more in-depth information about the filtering functions available within PHP:

    http://www.w3schools.com/php/filter_sanitize_string.asp

    Let me know if I can be of further help.
    mikejwatson, May 22, 2014 IP