Lecture 13: MySQL and PHP Monday, March 26, 2018
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Lecture 13: MySQL and PHP
Monday, March 26, 2018
MySQL – The “Old” Way• In older versions of PHP, we typically used functions that started with
mysql_ that did not belong to a class
• For example:o mysql_connect() to create a connectiono mysql_select_db() to choose the databaseo mysql_query() to execute a queryo (and so on…)
• However, as of PHP 5, these functions are deprecated, will likely be removed from PHP some point down the road
• The newer mysqli class should be used instead
• DO NOT USE THESE OLD FUNCTIONS IN THIS COURSE
1
mysqli: Connecting<?php
$conn = new mysqli($host, $user, $pw, $db);
if($conn->connect_error)die($conn->connect_error);
?>
2
mysqli: Querying<?php
$conn = new mysqli($host, $user, $pw, $db);
if($conn->connect_error)die($conn->connect_error);
$results = $conn->query($query_goes_here);
if(!$results) die($conn->error);
?>
3
mysqli: Querying• The result of querymethod for queries that return data
(such as SELECT queries – not UPDATE, INSERT, or DELETE) is an object that contains the following attributes:o current_fieldo field_counto lengthso num_rows
4
mysqli: Viewing Results• You can use the fetch_assocmethod to advance the
“pointer” (current_field) to each row
5
mysqli: Querying<?php
$conn = new mysqli($host, $user, $pw, $db);
if($conn->connect_error) die($conn->connect_error);
$results = $conn->query("SELECT * FROM foo");
if(!$results) die($conn->error);
while($row = $results->fetch_assoc()) {// do whatever you want with records// access using using $row->fieldname
}
?>
6
Security for Storing Passwords
• Your first lab will deal with authenticating off of an existing database with usernames/passwords in it
• The “obvious” way to set up a database is to create a users table and include a field called username and a field called password, and store both “as entered”
• However, storing passwords in plain text is not secure
7
Security for Storing Passwords
• Most services use the MD5 encryption algorithm to encrypt passwords
• There are MD5 functions available in BOTH MySQL and PHP
• The “result” of an MD5 encryption is a 32-character string containing hexadecimal characters (0-9 and a-f)
8
Security for Storing Passwords
• MD5 is not reversible – once something is encrypted, there is no way to decrypt it
• There are 32^16 (1,208,925,819,614,629,174,706,176) different values that can result from MD5 encryption –thus, it’s not quick to brute force
• This is why most services don’t let you retrieve your old password, and only reset it – there is no way to retrieve it
• However, to verify an MD5 value, you can encrypt the other item and compare them
9
Security for Storing Passwords
• So when a user registers and creates a password, that password should be run through MD5 to be stored for the database:
INSERT INTO users (username, password) VALUES ('$username', MD5('$password'));
10
Security for Storing Passwords
• To verify logins:
SELECT * FROM users WHERE username = '$username' AND password = MD5('$password');
If there is 1 result from this query, the login is valid
11
Changing Your Password• To change your MySQL password to something more
memorable, login to dilbert, and login to mysql:
dilbert> mysql –p
• Then, run the following command
mysql> SET PASSWORD = PASSWORD('YOURNEWPASSWORD');
12
Hiding Your Password• After you’ve changed your password more memorable,
you probably don’t want me to see it
• Solution: Put the login information in a separate file (such as mysql_login.php), and then include it in your lab files
• I have access to your MySQL databases for this course, so I can substitute in my own MySQL login information to check your programs
13
Hiding Your Password• mysql_login.php:
<?php$username = "wagnerja";$password = "password123";?>
• lab.php:
<?phprequire_once('mysql_login.php');$conn = new mysqli("localhost", $username,
$password, "cs383");// rest of program...?>
14
Closing a MySQL Connection
• One thing I forgot to cover last week – you should close your MySQL connections when you are finished with them:
<?php
$conn = new mysqli("localhost", "wagnerja", "password123", "cs383");
// rest of program...
$conn->close();
?>
15
Code Injection• Last week, we talked about creating a form with a user’s
login and validating it on the next page
• We talked about the security of storing passwords, but not the security of validating input
16
Code Injection
17
Code Injection• Remember the query that we ended last week’s lecture
with:
SELECT * FROM users WHERE username = '$username' AND password = MD5('$password');
• What happens if someone enters the following on the login form in the username field:
'; TRUNCATE TABLE users;
18
Code Injection• When username is substituted in, the following is run as the
query:
SELECT * FROM users WHERE username = ''; TRUNCATE TABLE users; ' AND password = MD5('$password');
• What happens?o A SELECT statement, looking for the username of an empty string, is parsed
until it reaches the semicolon, telling it that this first query has ended an to execute it
o As long as that first query does not produce an error, it will move on to the next query
o It executes the query through the next semicolon – truncating (deleting all records from) the users table
o Although the remainder of the query is not valid, it does not matter – the second one is executed before the third one is parsed
19
Code Injection• There are other things code injection can do
• Suppose someone enters for the username:
'; UPDATE users SET password = MD5('password12');
• Now all passwords in the system (including potentially admin users) has been set to password12
20
Code Injection• For code injection to work in databases, users would need
to know the structure of your tables
• But is it really that hard to figure out?o What are you going to name a table that contains data about your users?
o What about open source software – if the source code is out there, anybody can read it to see what the tables and field names should be
21
Code Injection• Some ways to protect from code injection:
o Search the input for symbols that don’t match what the field is asking for – Why would somebody be putting a semicolon in for a username or first name?
o Escape out characters – If the single quote gets preceded by an escape character (backslash), it will not end the string for the field in the WHERE clause
• Your book suggests the using the following function to pass all input through:
<?php
function mysql_fix_string($conn, $string) {if(get_magic_quotes_gpc())
$string = stripslashes($string);
return $conn->real_escape_string($string);}
?>
22
Code Injection• get_magic_quotes_gpc() returns an environment variable
which is set to false on dilbert, so really, you can just do the following in this class:
$query = "SELECT * FROM users WHERE username = '".$conn->real_escape_string($username). "'";
23
Prepared Statements• Prepared statements (when not retrieving records – more
on this at a later time) allow you to repeat the same SQL statements more efficiently
• This is not more efficient when you are only executing a statement a couple times
24
Prepared Statements<?php
$conn = new mysqli("localhost", "wagnerja", "password123", "cs383");
// provide query with ?s in place of variables$stmt = $conn->prepare("INSERT INTO lab8users (username, password, firstname, lastname) VALUES (?, ?, ?, ?)");
// bind parameters// the first argument contains one character per// variable: s = str, i = int, d = dbl, b = blob$stmt->bindparam("ssss", $u, $p, $f, $l);
...
25
Prepared Statements...
$u = "ally.apple";$p = md5("password1");$f = "Ally";$l = "Apple";$stmt->execute();
$u = "bill.bear";$p = md5("password2");$f = "Bill";$l = "Bear";$stmt->execute();
// more$stmt->close();$conn->close();?>
26
Related Documents
