Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Okay I know the answer to an all in one data cleaning strategy do not do it. My question is: Are there any standard actions that should be taken to secure form data right off the bat? Asides from doing my own form validation (ie Email, phone, etc).
As of currently this is in relation to a WebApp (HTML, PHP and MYSQL) but I would not say this should be limited to that I want to know best practices. From what I have read the only time anything should be done is when in as a data cleansing step is before a particular action is taken with that data (ie before storing in my database use mysql_real_escape_string).
EDIT:
Asides from SQL injection what are other malicious attacks that can occure from not cleaning data?
First of all, I am assuming you are using MySQLi (PDO is fine as well) and not the deprecated MySQL extension. If not, then you should definitely switch to one of those two.
Before inserting information into the database always make sure you used prepared statements and parametrized queries (see here: How can I prevent SQL injection in PHP?)
As for validating Emails, IP's and other types of data before they are inserted into the database, consider using filter_var() (see here: http://php.net/manual/en/function.filter-var.php)
When pulling information out of your database, make sure you use htmlspecialchars() and strip_tags().
Example: htmlspecialchars(strip_tags($message_body))
Magic Quotes has shown us that every sort of sanitation 'right off the bat' is bad practice. We validate our data when we need it at runtime as different usage requires different validation.
For validation purposes there are nowadays dozens of libraries available such as GUMP and Zend Forms (Further libraries can be found here: Easiest Form validation library for PHP?).
P.S.: You are talking about mysql_real_escape_string. Make sure that you use either PDO or mysqli instead of the nowadays deprecated Original MySQL API. For more information read: Why shouldn't I use mysql_* functions in PHP?.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I want to get the list of 1000+ users and show them in UI? Should I show all the users at once? If not, how to show them? I have seen browser hanging due to large amount of data manipulation.
I want to give a special coupon to the users whose age is more than 50. Should I call database to get the users whose age is greater than 50, again?
I want to manipulate a specific user data. Which data structure should I follow while getting the user data from database?
Please forgive me if you find this very noob. But please understand I want to know how to tackle this optimally! Please answer
1- You should use Pagination to get the data in chunks. Spring Data JPA has PagingAndSortingRepository which does that. check here.
2- You can do the filtering at the FrontEnd side (React, Angular, etc..). Otherwise, you have to make a special query for those records.
3- You should use DTOs (Data Transfer Objects), which are data structures that represents your Database entities in a form suitable for the client. check here.
It depends on the size of your objects. 1000 record is not much if each record is small. So you can either use server side pagination, which means more queries to the server. Or you can use front-end pagination and 1 server query (This could also be optimized using server cashing)
You don't have to do another query to the database, you already have the data, either on the front-end or the backend.
It depends, is that some logic state that you want it to stick with the each user, then in this case use your entities. Or it is a logic that is related to representation (UI), in that case use DTOs.
Hope this helps
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
Nowadays it doesn't seem to matter whether you use forms or not for submitting data. Personally, I seem to end up just getting the values from the necessary inputs, manually, using JavaScript, upon the submission of a form (or just a button that is intended to trigger a function that grabs all the input data off the page).
Are there any major differences between using forms to submit data directly over just grabbing the needed elements off a page and using AJAX to send the data?
Edit: Would appreciate explanations if you're going to downvote. I haven't seen the question specifically asked before on StackOverflow plus standards change pretty quickly nowadays and most new developers might wonder what the point of using a form would be over just manually grabbing inputs.
Using forms is recommended due to the following:
Forms provide backwards compatibility to devices that don't look at CSS or use javascript.
With forms you can use tools like parsley.js to grab the wbole form, validate and send off as part of your AJAX without bothering validating every single field in your script.
Other developers expect to see a form because that's how HTML is meant to be, so by omitting one, you introduce unusual code, which in turn would mean wasted time by other developers when they take over your code.
So don't reinvent the wheel and use the forms :)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
One of my websites has recently, and is (ongoing) continuously, under attack. A JavaScript script is being inserted into the MySQL database somehow.
I am using the following:
$unsafe_variable = addslashes(htmlspecialchars(strip_tags(mysql_real_escape_string($_POST['user_input']))));
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
However, the hacker is still able to insert a "script" tag. I have no idea how. I have a word filter and blacklisted the word "script", which gets blocked when I post a test to the site. How is he/she able to get it through?
The above is a screenshot of the entry into the database. Anyone have any ideas on how I can prevent this?
For a start, JavaScript is code that a user can actually edit using DOM tools (like inspect element) and should never be used as a mechanism to security with Databases.
You should firstly start to research about prepare statements in PDO if you're using un-trusted user input; the bind paramtter in the PDO interface automatically strips the HTML content out of the input.
You can also look at the preg_replace function inside of PHP. This can be used to do more unique and to-the-point strips and allows functionality like BB Code.
There are plenty of resources on stack over-flow which cover the security issues raised in this question and certainly solve each layer attack.
Source 1
Source 2
Also note, the attack you're specifying is an XSS attack used to inject malicious JavaScript code. If you want to allow this code, never directly insert it to a global page (ie: comments that multiple users can see). Only allow the single user to view the code they put in. Otherwise, view the above sources for further information.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I'm new to website developing.
I want to develop a simple website with a search engine to search an MS Access database that contains indexed records with Word files.
Is it possible to develop such a website with JavaScript / Node.js?
Is there another free database that can contain records with Word files that you would recommend for such a website?
Thank you!
Yes, it is possible, e.g. by using the node-adodb module mentioned in this question: Accessing .mdb files through nodejs.
Anyway, I would not recommend it since Access was never meant to be a server database for web applications.
Consider one of the many alternatives, which are server databases, and which provide lots of additional features, e.g. PostgreSQL, MongoDB, … there are countless alternatives, and which one to choose is completely up to your requirements, and a quite different question and clearly out of scope here. But I think you get the idea.
Regarding Word files… basically it's just binary data, so any database that can store binary data (think BLOBs) should be fine, as long as you do not need any special "Word features". PostgreSQL is able to handle BLOBs, in MongoDB I'd suggest GridFS, but as said there are many, many alternatives out there.
What also may be useful is to have a look at projects such as Knex or Sequelize, which unify access to a variety of databases from Node.js.
As Himmel pointed out in the comment, it may be meaningful to convert the Word documents into JSON or XML, either before storing them, or additionally to storing the original files. Both, PostgreSQL and MongoDB, are capable of handling JSON out of the box. I'm not sure about their XML support, tbh.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I made a database that holds information about clinical trials and so far I have been accessing and writing to it using php. I was wondering if there was a way to read/write to a SQL Server database using javascript or jquery? The UI I am developing will be for adding clinical trial data to the database. Only the DB admins will have access to this UI so security should not be a "huge" problem.
You need a middle tier like php, rails, java... to do the database write. You can't do this from the browser with javascript. But there is Node.js, which allows you do write javascript on the server.
In short, no. Even if there was, you should never leave data validation to the client. Just because your DB Admins are trustworthy, doesn't mean those who break into your network will be. DROP TABLE ClinicalTrialData; would be a bad thing. Use PHP/backend of choice to do the donkeywork and use AJA[X|J] if you want a slick UI experience.
Only server side Javascript methods such as using NodeJS as your server. Never put your database credentials on the front end unless you want people to directly access your database.