Lecture 13: MySQL and PHP. Monday, March 26, 2018

Transcription

1 Lecture 13: MySQL and PHP Monday, March 26, 2018

2 MySQL The Old Way In older versions of PHP, we typically used functions that started with mysql_ that did not belong to a class For example: o o o o mysql_connect() to create a connection mysql_select_db() to choose the database mysql_query() to execute a query (and so on ) However, as of PHP 5, these functions are deprecated, will likely be removed from PHP some point down the road The newer mysqli class should be used instead DO NOT USE THESE OLD FUNCTIONS IN THIS COURSE 1

3 mysqli: Connecting <?php $conn = new mysqli($host, $user, $pw, $db); if($conn->connect_error) die($conn->connect_error);?> 2

4 mysqli: Querying <?php $conn = new mysqli($host, $user, $pw, $db); if($conn->connect_error) die($conn->connect_error); $results = $conn->query($query_goes_here); if(!$results) die($conn->error);?> 3

5 mysqli: Querying The result of query method for queries that return data (such as SELECT queries not UPDATE, INSERT, or DELETE) is an object that contains the following attributes: o current_field o field_count o lengths o num_rows 4

6 mysqli: Viewing Results You can use the fetch_assoc method to advance the pointer (current_field) to each row 5

7 mysqli: Querying <?php $conn = new mysqli($host, $user, $pw, $db); if($conn->connect_error) die($conn->connect_error); $results = $conn->query("select * FROM foo"); if(!$results) die($conn->error); while($row = $results->fetch_assoc()) { // do whatever you want with records // access using using $row->fieldname }?> 6

8 Security for Storing Passwords Your first lab will deal with authenticating off of an existing database with usernames/passwords in it The obvious way to set up a database is to create a users table and include a field called username and a field called password, and store both as entered However, storing passwords in plain text is not secure 7

9 Security for Storing Passwords Most services use the MD5 encryption algorithm to encrypt passwords There are MD5 functions available in BOTH MySQL and PHP The result of an MD5 encryption is a 32-character string containing hexadecimal characters (0-9 and a-f) 8

10 Security for Storing Passwords MD5 is not reversible once something is encrypted, there is no way to decrypt it There are 32^16 (1,208,925,819,614,629,174,706,176) different values that can result from MD5 encryption thus, it s not quick to brute force This is why most services don t let you retrieve your old password, and only reset it there is no way to retrieve it However, to verify an MD5 value, you can encrypt the other item and compare them 9

11 Security for Storing Passwords So when a user registers and creates a password, that password should be run through MD5 to be stored for the database: INSERT INTO users (username, password) VALUES ('$username', MD5('$password')); 10

12 Security for Storing Passwords To verify logins: SELECT * FROM users WHERE username = '$username' AND password = MD5('$password'); If there is 1 result from this query, the login is valid 11

13 Changing Your Password To change your MySQL password to something more memorable, login to dilbert, and login to mysql: dilbert> mysql p Then, run the following command mysql> SET PASSWORD = PASSWORD('YOURNEWPASSWORD'); 12

14 Hiding Your Password After you ve changed your password more memorable, you probably don t want me to see it Solution: Put the login information in a separate file (such as mysql_login.php), and then include it in your lab files I have access to your MySQL databases for this course, so I can substitute in my own MySQL login information to check your programs 13

15 Hiding Your Password mysql_login.php: <?php $username = "wagnerja"; $password = "password123";?> lab.php: <?php require_once('mysql_login.php'); $conn = new mysqli("localhost", $username, $password, "cs383"); // rest of program...?> 14

16 Closing a MySQL Connection One thing I forgot to cover last week you should close your MySQL connections when you are finished with them: <?php $conn = new mysqli("localhost", "wagnerja", "password123", "cs383"); // rest of program... $conn->close();?> 15

17 Code Injection Last week, we talked about creating a form with a user s login and validating it on the next page We talked about the security of storing passwords, but not the security of validating input 16

18 Code Injection 17

19 Code Injection Remember the query that we ended last week s lecture with: SELECT * FROM users WHERE username = '$username' AND password = MD5('$password'); What happens if someone enters the following on the login form in the username field: '; TRUNCATE TABLE users; 18

20 Code Injection When username is substituted in, the following is run as the query: SELECT * FROM users WHERE username = ''; TRUNCATE TABLE users; ' AND password = MD5('$password'); What happens? o A SELECT statement, looking for the username of an empty string, is parsed until it reaches the semicolon, telling it that this first query has ended an to execute it o As long as that first query does not produce an error, it will move on to the next query o It executes the query through the next semicolon truncating (deleting all records from) the users table o Although the remainder of the query is not valid, it does not matter the second one is executed before the third one is parsed 19

21 Code Injection There are other things code injection can do Suppose someone enters for the username: '; UPDATE users SET password = MD5('password12'); Now all passwords in the system (including potentially admin users) has been set to password12 20

22 Code Injection For code injection to work in databases, users would need to know the structure of your tables But is it really that hard to figure out? o What are you going to name a table that contains data about your users? o What about open source software if the source code is out there, anybody can read it to see what the tables and field names should be 21

23 Code Injection Some ways to protect from code injection: o o Search the input for symbols that don t match what the field is asking for Why would somebody be putting a semicolon in for a username or first name? Escape out characters If the single quote gets preceded by an escape character (backslash), it will not end the string for the field in the WHERE clause Your book suggests the using the following function to pass all input through: <?php function mysql_fix_string($conn, $string) { if(get_magic_quotes_gpc()) $string = stripslashes($string); } return $conn->real_escape_string($string);?> 22

24 Code Injection get_magic_quotes_gpc() returns an environment variable which is set to false on dilbert, so really, you can just do the following in this class: $query = "SELECT * FROM users WHERE username = '". $conn->real_escape_string($username). "'"; 23

25 Prepared Statements Prepared statements (when not retrieving records more on this at a later time) allow you to repeat the same SQL statements more efficiently This is not more efficient when you are only executing a statement a couple times 24

26 Prepared Statements <?php $conn = new mysqli("localhost", "wagnerja", "password123", "cs383"); // provide query with?s in place of variables $stmt = $conn->prepare("insert INTO lab8users (username, password, firstname, lastname) VALUES (?,?,?,?)"); // bind parameters // the first argument contains one character per // variable: s = str, i = int, d = dbl, b = blob $stmt->bindparam("ssss", $u, $p, $f, $l);... 25

27 Prepared Statements... $u = "ally.apple"; $p = md5("password1"); $f = "Ally"; $l = "Apple"; $stmt->execute(); $u = "bill.bear"; $p = md5("password2"); $f = "Bill"; $l = "Bear"; $stmt->execute(); // more $stmt->close(); $conn->close();?> 26