Php I want to open SQL statements for users to find their own data. the database is not on my server. Is there a security problem?

Source: Internet
Author: User
Tags email account
Php I want to open SQL statements for users to find their own data. the database is not on my server. Is there a security problem? The database is owned by the customer and may be purchased elsewhere.

However, if the data processing program is on my server, the processed data will be stored remotely in the customer's database.

How much harm does this cause to my servers?

The scenario is as follows:
The customer logs on to my management background and fills in the information form on a page. I do not filter the form content.
Then, based on the database information filled in by the customer, I processed the form information and linked it to the customer database for storage.
Of course, I also provide here. the customer fills in the SQL statement and links his database to find his own data.

Problem:
If the customer is malicious, what problems will these access operations cause to my programs and servers?
When the queried data is displayed, will it cause problems with server security? Server or client script or something
Is there any way to increase security for my server?


Reply to discussion (solution)

Yes, you can write regular expressions and perform multiple verification.

Yes, you can write regular expressions and perform multiple verification.



What are the main problems to prevent?

If you open SQL statements in this way, it is inevitable that some people enter some other statements, which may cause security risks. You can restrict and filter SQL statements by row. To avoid unnecessary information leakage.

If you open SQL statements in this way, it is inevitable that some people enter some other statements, which may cause security risks. You can restrict and filter SQL statements by row. To avoid unnecessary information leakage.



Because this database is used by the customer himself, he can check everything. I will give priority to the impact on my server.

Will there be?

What do users do if they are malicious to their own databases?
The user accesses his remote server through your server, which is problematic in actual application:
1. remote server authorization is required for your server ip address
2. remote server access is an order of magnitude slower than local server access
3. since the user has managed your own database, you naturally need to bear data loss, damage, leakage, and other risks.

What do users do if they are malicious to their own databases?
The user accesses his remote server through your server, which is problematic in actual application:
1. remote server authorization is required for your server ip address
2. remote server access is an order of magnitude slower than local server access
3. since the user has managed your own database, you naturally need to bear data loss, damage, leakage, and other risks.



I can understand what you said. the user's database is managed by me, and I can get the authorization.
Data can also be slowed down. Because the data is owned by the user, I will first declare to the user about database errors,
Most users only use my basic functions. enabling SQL queries is for customers with requirements.
So now I am concerned about the security of my programs and servers.
With regard to user data, every user's database is independent, so I will not worry if I break my own database.
However, if my program is broken down, the problem will be big and will affect the use of other users.

For example, I have installed phpMyAdmin on my server, but each user who uses it operates on its own database.
Will this operation damage my phpMyAdmin program?
Will this operation damage my server?

User operations will not break phpMyAdmin
However, users may use personal tools such as phpmyadmin to access others' databases, causing losses to others.

User operations will not break phpMyAdmin
However, users may use personal tools such as phpmyadmin to access others' databases, causing losses to others.



That means my servers and programs won't have a big impact?
If the user uses this tool to access other people's databases, he will not consider it. if he knows the database address and account password of another person, why not operate on him?
Just like people know your email account and password.
Are you sure you want to delete your email?

As long as you can confirm that my programs and servers will not cause problems due to making these operations public
The program I designed can be further developed.
If a user inserts a script Trojan in the content, the user should execute the script on a browser terminal when retrieving the displayed content.
That is to say, write the problem content to the database, and the problem occurs on his own.
,

You 'd better not open it .,...

No harm, because SQL operates on your own database, and you only provide the environment and code for running php. No problem.

No harm, because SQL operates on your own database, and you only provide the environment and code for running php. No problem.



If something goes wrong, it may be that the page is out, right?
The customer's form is processed by me, and some methods such as regular operation and character concatenation replacement are also used. if these methods have vulnerabilities, are these methods only targeted for protection?

You have rejected the discussion of potential threats, so it is no longer necessary to proceed with this discussion.

You have rejected the discussion of potential threats, so it is no longer necessary to proceed with this discussion.



Is a website only vulnerable to databases?
Isn't server security a threat?

Does it mean that people can obtain the guest user permissions of the server from the server script execution vulnerability?

I don't know much about it, so I want to know more about it.

Check whether filtering is necessary, such as writing files and executing commands. Filter.

No harm, because SQL operates on your own database, and you only provide the environment and code for running php. No problem.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.