How Do You Protect Your Database?

I have a webform on my site. It allows people to submit information to my database. At the moment, the webform has no protection.

What kind of security measures should I have in place to protect my database?

Are bad bots the only risk these days?

I use mysql_real_escape_string($_POST['']) to escape special characters, and I use trim($string) to trim whitespace from the beginning and end of every string. Should I be using any other PHP functions to protect my database?

Any advice will be much appreciated.

Hi,
You can check if the input is a string or number.

Regards.

Hello I provide database with full details: name, email, phone, country, Majority are forex datas. Please contact if someone is interested in buying.

Take your time and read this one: http://simon.net.nz/articles/protecting-mysql-sql-injection-attacks-using-php/

SafeNet ProtectDB software delivers powerful database encryption and database protection for the sensitive corporate and customer information stored in databases in the data center and the cloud. With ProtectDB, organizations have the flexibility to encrypt data at multiple levels and during multiple processes. Centralized key management provided with the integrated SafeNet DataSecure solution helps tighten security and simplifies the encryption of data in virtually any number of databases across heterogeneous environments often found in data centers or virtualized environments. Working together, ProtectDB with DataSecure help organizations attain the highest level of security available in a commercial database encryption solution.

There is no such thing as 100% protection.
The best thing you could do is to take a "REGULAR BACKUP" of your database.
If you can do it everyday, then thats good.
So if everything goes wrong. you can just recover it back.

Prevent SQL injections and install recaptcha or similar..

And how do you think reCaptcha will help him to secure database ?

there's softwares that hackes dozens of websites automatically..at least they won't overload the db engin with thousand of useless queries when the captha is on.

Take a look at this also:
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

first check what is typing, when remove all special characters.

I believe mysql_real_escape_string($_POST['']) takes care of most of that

for input when enter text i use this

PHP:

1. preg_replace("/[^a-zA-Z0-9]/","",$_POST['text']);

for number which is integer use this

Code (Text):

1. (int)$_POST['number']

. is a lot of way how to build safe website, use google.

First way to protect your db is to get rid of mysql_ and start using mysqli_ or preferably PDO. With proper, prepared statements.

And of course, sanitize, sanitize, sanitize. Never trust anything a user inputs.

This is not enough. Use papered statements and parametrized queries.

Hey coolrohit222002,

I agree with you, Backup is most impotent when you are working on database so take day by day backup of your database and make it safe because in any case, if your database or data are removed that time your old backup will help you to recover it so as per coolrohit222002, Take "REGULAR BACKUP" of your database and make it safe yourself work.

A good Backup procedure is of course important. I tend to set up a cron job, which can often be done in a web hosting control panel, such as Plesk. Cron is often referred to as "Scheduled Tasks". With cron you can run a mysql_dump on the database, e,g, every hour or 12 hours - the frequency is up to you.

In the same way, it's also possible to get the web server to run a php script to email the backup to you. I get this emailed to my gmail account, and then I use a filter to automatically place the emailed, zipped, backup in a folder within Gmail. Since Gmail gives me 30GB space, it takes a long time to fill up!

Preventing SQL Injection: The important thing to remember is to filter all of the data inputted by the user. So for example, some typical fields you'd want to make sure you filter are:

$_GET['email']
$_GET['firstname']
$_GET['message'] (or their $_POST equivalents)

Here's some PHP code for validating a submitted field:

$message_filtered = filter_var($_GET['message'], FILTER_SANITIZE_STRING);

Filtering will also help prevent Cross-site-scripting XSS threats. Check out this page for more in-depth information about the filtering functions available within PHP:

http://www.w3schools.com/php/filter_sanitize_string.asp

Let me know if I can be of further help.