A good PHP application is not the one with nice graphics or pictures, but the one with thorough security. This presentation lets you know some facts and fixes as far as some database security threats to a PHP application are concerned.

1. Database Security for PHP Rohan Faye

3. Designing databases

4. Connecting to database

5. Encrypted storage model

6. SQL injection

7. Avoiding techniques

8. Conclusion

10. Provides varying dynamic content

11. Stores sensitive or secreat information

12. PHP cannot protect your database by itself

13. “Defense in depth”

15. Grant the privileges in order to allow other users to use it

16. Applications should never connect to the database as its owner or a superuser

17. Stop intruders from gaining access by assigning limited rights to the database objects

20. Automatically handle fields

21. Provides insight when debugging problems

22. Ability to trace back transactions

24. Use SSH to encrypt the network connection between clients and the database server

28. Encrypting the data is a good way to mitigate this threat

30. PHP assists you with several extensions like Mcrypt and Mhash

31. Script encrypts the data before inserting it into the database, and decrypts it while retrieving

32. If raw representation of data is not needed, then can rely upon hashing e.g. crypt() and MD5()

35. Attacker: A high school student

36. Victim: Taiwanese Information Security magazine's site

38. Discovered by: Susam Pal (Security expert)

39. Victim: Official Indian government tourism site

41. Attacker: m0sted and Amen (Turkish hackers)

42. Victim: Kaspersky's malaysian website

44. Attacker: Albert Gonzalez and two unnamed Russians

45. Victim: Heartland Payment Systems

47. Attacker: A turkish crew

48. Victim: Federal Bureau of Investigation job site

50. Attacker: Unknown

51. Victim: RockYou!

54. Can bypass standard authentication and authorization checks

55. May allow access to host operating system level commands

57. Can execute dangerous system level commands on the database host

58. Accomplished by the application taking user input and combinig it with static parameters to bulid a SQL query

60. Validate the input – PHP has a wide range of input validating functions

61. Perl compatible Regular Expressions support

62. Quote each non-numeric user supplied value passed to the databse using database specific string escape function

65. Can be helpful to trace back which application has been circumvented

66. Conclusion “A good PHP application doesn't mean to be good looking. It simply wants to be safe...”

67. Thank you <?php $references = array( 'The PHP manual', 'Guide to PHP Security', 'Wikipedia', ); ?>