Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2014 database - course 3 - PHP and MySQL

2,330 views

Published on

Published in: Technology

2014 database - course 3 - PHP and MySQL

  1. 1. PHP - MySQL Ensky / 林宏昱
  2. 2. Load data from database GET /enskylin HTTP/1.1 Host: www.facebook.com HTTP/1.1 200 OK HTML
  3. 3. generate HTML GET /enskylin HTTP/1.1 Host: www.facebook.com HTTP/1.1 200 OK HTML
  4. 4. How to access database? • today's topic :D
  5. 5. Establish a connection (you should set it up during your installation) (If you use cscc account, then follow the instruction on cscc MySQL website) username: root password: nctu5566 login successfully
  6. 6. Do some Queries Insert: Create Select: Read Update: Update Delete: Delete INSERT INTO users (id, pw) VALUES ('jlhuang', 'iLove5566') Query OK, 1 rows affected
  7. 7. Dealing with Results Generate the correspond HTML SELECT * FROM users 100 row in set (0.00 sec)
  8. 8. That's all.
  9. 9. Hello world! - connect Establish a connection: $db_host = "host_name"; $db_name = "database_name"; $db_user = "user_name"; $db_password = "password"; $dsn = "mysql:host=$db_host;dbname=$db_name"; $db = new PDO($dsn, $db_user, $db_password);
  10. 10. Hello world! - Insert SQL -- INSERT INTO `users` (id, username, gender) VALUES(1, 'Ensky', 'male') PHP -- $sql = "INSERT INTO `users` (id, username, gender)" . " VALUES(?, ?, ?)"; $sth = $db->prepare($sql); $sth->execute(array(1, 'ensky', 'male')); id username gender 1 Ensky male
  11. 11. Hello world! - Select $sql = "SELECT * FROM `users`" . " WHERE `username` = ? AND `password` = ?"; $sth = $db->prepare($sql); $sth->execute(array('ensky', 'nctu5566')); id username password gender 1 Ensky nctu5566 male 2 Emily sdfasdf female
  12. 12. Hello world! - Retrieve $sql = "SELECT username, gender FROM `users`" . " WHERE `username` = ? AND `password` = ?"; $sth = $db->prepare($sql); $sth->execute(array('ensky', 'nctu5566')); while ($result = $sth->fetchObject()) { echo $result->name . $result->gender; } // Ensky male // Emily female // … id username password gender 1 Ensky nctu5566 male 2 Emily sdfasdf female
  13. 13. Named parameters $sql = "SELECT username, gender FROM `users`" . " WHERE `username` = ? AND `password` = ?"; $sth = $db->prepare($sql); $sth->execute(array('ensky', 'nctu5566')); is equal to $sql = "SELECT username, gender FROM `users`" . " WHERE `username` = :un AND `password` = :pw"; $sth = $db->prepare($sql); $sth->execute(array( ':un' => 'ensky', ':pw' => 'nctu5566'));
  14. 14. PHP Data Objects • PDO is an OO style class • Classes – PDO • PDO __construct ( string $dsn, [, string $username [, string $password ]]) • PDOStatement prepare( string $statement ) • PDOStatement query( string $statement ) – PDOStatement • bool execute ([ array $input_parameters ] ) • mixed fetchObject ([ string $class_name = "stdClass" [, array $ctor_args ]] )
  15. 15. Don't use mysql_* • There are many libraries to help you connect to MySQL database – MySQL – MySQLi – PDO • If your books recommends you to use mysql_xxx functions, throws it.
  16. 16. Don't use mysql_* • What's the problem of mysql_ functions? – It is deprecated in PHP 5.5.0, and will be removed in PHP6 – SQL Injection problem • no prepared statement – Only support MySQL(PDO supports 12 different databases)
  17. 17. What's SQL injection?
  18. 18. Simple query(use mysql ext) login_action.php -- <?php mysql_connect($db_host, $db_user, $db_password); mysql_select_db($dn_name); $result = mysql_query( "SELECT * FROM `users`" ." WHERE `email` = '{$_POST['email']}'" ." AND `password = '{$_POST['password']}'" ); // …
  19. 19. Simple query(use mysql ext) login_form.php login_action.php -- $result = mysql_query( "SELECT * FROM `users`" ." WHERE `email` = '{$_POST['email']}'" ." AND `password = '{$_POST['password']}'" );
  20. 20. Simple query(use mysql ext) login_form.php login_action.php -- $result = mysql_query( "SELECT * FROM `users`" ." WHERE `email` = 'enskylin@gmail.com'" ." AND `password = 'nctu5566'" );
  21. 21. Simple query(use mysql ext) $result = mysql_query( "SELECT * FROM `users`" ." WHERE `email` = 'enskylin@gmail.com'" ." AND `password = 'nctu5566'" ); SELECT * FROM `users` WHERE `email` = 'enskylin@gmail.com' AND `password` = 'nctu5566'
  22. 22. SQL injection "--" in SQL represents "comments" SELECT * FROM `users` -- I want to select all from user SELECT * FROM `users` -- today is a good day
  23. 23. SQL injection If a cracker knows your query logic: SELECT * FROM `users` WHERE `email` = 'user_account' AND `password = 'user_password' give a try: user_account = ' OR 1=1 -- SELECT * FROM `users` WHERE `email` = '' OR 1=1 --' AND `password = 'user_password' OOPS!
  24. 24. SQL injection SELECT * FROM `users` WHERE `email` = '' OR 1=1 --' AND `password = 'user_password' Since 1=1 is obviously true in any circumstances, and below messages are commented out, this instruction will select all users instead of logged in user.
  25. 25. Prepared statement • By prepare query statement before execute, we can prevent SQL injection PREPARE SELECT * FROM `user` WHERE `id`=? AND `password`=? OK, prepared EXECUTE "enskylin", "nctu5566" 1 row in set (0.00 sec)
  26. 26. Password Hashing • Let's look at User creation INSERT INTO (id, password) VALUES ('ensky', 'nctu5566') • Actually, it is very dangerous! • Note that Database server is able to be cracked If hackers can get your "real password", than it is a big problem • Even more, if database administrator can access your real password, than it should be a problem, too. more plaintext passwords: https://www.facebook.com/PlainPass
  27. 27. How to solve the plaintext password problem? Password Hashing
  28. 28. Hashing! a many-to-one no inverse function http://www.php.net/manual/en/function.hash.php#104987 Password Hashed PW hello 5d41402abc4 … world 7d793037a07 …
  29. 29. Flow • register • login • Reset hello 5d41402abc4 … 5d41402abc4 … generate hashed password save to database hello 5d41402abc4 … 5d41402abc4 … generate hashed password verify with database's hash world 7d793037a07 … 7d793037a07 … generate new hashed password save to database
  30. 30. Crack • One common crack method is "rainbow table" – detail algorithm: wiki • password hashing can be cracked by using predefined hash tables • However it can be prevented by using "random salt" for each password
  31. 31. Best practice • Best practice to deal with hashing is to hash with "random salt" • Save 1. generate a random salt 2. hashing password use this random salt 3. save "hashed password" with random salt to database • Verify 1. query hashed password with random salt by user 2. regenerate hashed password and verify with real data
  32. 32. PHP support • PHP 5.5 supports password_hash, password_verify functions to deal with password hashing problem http://www.php.net/manual/en/function.password-hash.php • However, CSCC only provides PHP 5.3 so you should use crypt function instead http://www.php.net/manual/en/function.crypt.php • Since crypt is not easy enough to use, TA provided TA's version: http://pastebin.com/aDdWvhXm
  33. 33. Usage // create a hash $hash = password_hash($_POST['password']); // verify a hash if (password_verify($_POST['password'], $hash)) { echo 'Password is valid!'; } else { echo 'Invalid password.'; }
  34. 34. References • PDO: http://tw2.php.net/manual/en/class.pdo.php • crypt: http://tw2.php.net/manual/en/function.crypt.php • plainpassword: https://www.facebook.com/PlainPass • pdo-mysql-mysqli: http://blog.roga.tw/2010/06/%E6%B7%BA%E8%AB%87-php-mysql-php- mysqli-pdo-%E7%9A%84%E5%B7%AE%E7%95%B0/

×