This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Secure Database Library

From OWASP
Revision as of 08:09, 28 July 2013 by Abhishek Das (talk | contribs)

Jump to: navigation, search

Introduction

This library is compatible with PHP PDO, but doesn't allow insecure operations (such as concatenation of values in any form) with it. We have enforced prepared statements for all data that is to be sent to the database engine, and will enforce whitelisting (via taint tracking) of all SQL parameters (such as limit and order by) where prepared data are not supported by the back-end engine. A base library provides all these features abstracted from database engines, and derived libraries for each common database engine.

Usage

  • Include the required database adapter wrapper class. For example, in case of PDO_MYSQL

    require ('phpsec/libs/db/adapter/pdo_mysql.php');

  • Set up a database connection

    $a = new \phpsec\Database_pdo_mysql ('DATABASE_NAME', 'DATABASE_USER', 'DATABASE_PASSWORD');

  • In case you already have a connection made, you can pass the object directly to the constructor

    $pdo = new \PDO ("mysql:dbname=DATABASE_NAME;host=localhost;",'DATABASE_USER','DATABASE_PASSWORD');
    $a = new \phpsec\Database_pdo_mysql ($pdo);

  • Execute queries. Parameters can be passed as arrays or expanded lists.

    $b = $a->SQL("SELECT * FROM users WHERE username = ? AND dob = ?", "abc", "09/10/1991");
    $b = $a->SQL("SELECT * FROM users WHERE username = ? AND dob = ?", array("abc","09/10/1991"));
    $b = $a->SQL("SELECT * FROM users WHERE username = :username AND dob = :dob", array(':username' => 'abc',':dob' => '09/10/1991'));

    • Files

    adapter/base.php
    DatabaseConfig class

    A single wrapper object for all database configuration options. Easier to pass around a single object to functions than an expanded list.

    DatabaseModel class

    Parent class for all database wrapper classes. Provides most of the PDO compatible interface functions.

    DatabaseStatementModel class

    Parent class for all database prepared statements. Contains methods to actually perform queries and fetch data.

    adapter/pdo_mysql.php
    Database_pdo_mysql class

    PDO_MySQL wrapper class. Extends the DatabaseModel class.

    DatabaseStatement_pdo_mysql

    PDO_MySQL prepared statement wrapper class. Extends the DatabaseStatementModel class.

    adapter/pdo_pgsql.php
    Database_pdo_pgsql class

    PDO_PostgreSQL wrapper class. Extends the DatabaseModel class.

    DatabaseStatement_pdo_pgsql

    PDO_PostgreSQL prepared statement wrapper class. Extends the DatabaseStatementModel class.

    adapter/pdo_sqlite.php
    Database_pdo_sqlite class

    PDO_SQLite wrapper class. Extends the DatabaseModel class.

    DatabaseStatement_pdo_sqlite class

    PDO_SQLite prepared statement wrapper class. Extends the DatabaseStatementModel class.

    dbmanager.php
    DatabaseManager class
    This is not being used at the moment. It might be needed later for when the set of libraries would be incorporated in a framework. Leaving it for legacy purposes.
Retrieved from "https://wiki.owasp.org/index.php?title=Secure_Database_Library&oldid=156122"