Archive for the ‘PHP’ Category

« Older Entries

Designing your database, sometimes its more than just a storage

Thursday, January 21st, 2010

Sadly, I’m catching a cold. I seriously hate being sick, all my motivation goes to nada. Yet I wanted to post on this subject, while I’m not going to get all specific and detailed about it. I will mention basic factors of designing your database. I have this book I bought on the many programming books I have, it was requested by my professor to use it in our database design class but we actually never got to use it.

Now it bothered me, I don’t like buying things without a purpose so I opened it to apply things I learnt in my project. I did learn a few things about database designers, they are divided in two tasks, one is to design the database and the other is to check engines and worry about all physical files and how they are going to be managed. And so on, since it had this overwhelming history of flat files. And it got me to thinking of PHP and some developers.

While I love so much PHP, it’s disheartening to see many people just to rush over the project start assigning all kind of unneeded data types. Let’s be realistic, many people use Int over Medium Int because they “foresee their application passing over a range of 9 millions”, to actually reach that amount it will take years unless you spend an insane amount of money in promotions to get all kind of traffic. You can’t be a microsoft or a google in a year.

It also makes me glad in a way, this mistakes generate jobs, didn’t  you know? Because the buyers who hired those kind of people and made the database design shaky, don’t know why their page is slow or why their query is so slow. By putting a higher range, it means more work for the database engine.

Don’t go adding all type of indexes, just the ones your APPLICATION use most of the type. Like for example we got our auto-incrementer primary key (id), it is UNIQUE so MySQL will check UNIQUE ones first than non-unique ones. Or if we got lets say (categoryID, attachmentID) we got non-unique IDs, but they are mostly searched in a query statement.

Secondly, while I won’t probably real-world examples. A bad design can lead the web application to become a nightmare to maintain or add new features because you will end up refactoring or worst, re-designing your database.

Read this page, it’s from MySQL’s documentation. It’ll be a guide to you if you are designing the database using that database system.

I was thinking, after I release OpenType Threads, oh boy I should be prepared to receive a rain of complains. And shield myself from patterns fanboys. Oh, and I started to like Ruby and Javascript syntax, it’s quite… fun. And now, making extra code to support other browsers is NOT fun.

Posted in PHP, Programming | No Comments »

Thoughts on security in web applications

Tuesday, January 19th, 2010

I’m pretty weary. All this week working on what/how/where/when implementations, starting with logic “what will this object hold?”. Working on the prototype of OpenType Threads has made realize how important it is to detail a plan, it’s good but also a bit lonely hopefully when I launch the prototype I hope some developers join me along.

It is exciting in a way to get new concepts, and just yesterday I start to get a new one that I will immediately implement.

The plan is the following, probably nothing new to many seasoned programmers, but on current projects it is rarely seen, especially in PHP. We usually use a database storage, probably MySQL. MySQL provides the feature to allow multiple users to share one database, with different permissions. Quite a nice feature isn’t it? It’s hard to imagine how useful this is in programming, because well, installing PHP scripts just relies on the usual “SELECT, CREATE, INSERT, DELETE, DROP, UPDATE, ALTER”. We don’t usually THINK why MySQL users exists and many installers just tells you “Hey! Just write your database, database user, password, port if there is any and we’ll do the rest!” And that’s the worst mistake and you’ll see why:

I layered OpenType Threads administration concept in two, the master, the user. The master user has the following privileges :

Master user:

  • INSERT
  • DELETE
  • UPDATE
  • SELECT
  • CREATE
  • ALTER
  • INDEX
  • DROP

The user:

  • SELECT
  • INSERT
  • DELETE
  • UPDATE

Now, where do we usually use the “master user”? The answer lies in administration panel, imagine if you use wordpress, wordpress plug-ins usually need to CREATE/DROP/ALTER/INDEX a table, INSERT, DELETE, UPDATE, SELECT data. It’s perfect for the admin section.

Now why would I want to use two users, sharing the same database? The answer lies in SQL exploits. I won’t pretend this will take care of all injections, that depends mostly on your sanitation of inputs in your web application. It will certainly stop aggressive ones, like, for example:

- a malicious user attempts to DROP the database, everything will be lost in just one command.
- One of your administrator’s “betrays” you and attempt tries to delete tables, again the DROP command will be unavailable.

Now as we see, using a the “normal user” will certainly be helpful. Yet it leaves kind of a gap, we can’t do much with the “DELETE” command, actually we can if you rethink your application. Lets say that in your articles table you have the usual (artID, artContent, artTitle) lets add one more column (artState(ENUM(‘publish’,'delete’,'draft’))). We have enumerated three options, publish, delete and draft. The usual “publish” will just show the article to the users viewing your site.

Now, instead of using the DELETE command to delete the record, it will hide the record and add it to a “trash can” which will be ONLY be deleted when you access the administration panel so it carries the “master user”.

Issues like “what if I get my admin login stolen?”, “what if the malicious user steals the user, password of the master user?”. Well, those issues depends on the security of your web application, it has nothing to do with the TRANSACTIONS made. And of course, sanitize all inputs.

I don’t believe it hurt to try this because so far it’s just another measure to take. Infact I’m not taking the measure with just using TWO MySQL users. I’m also throwing in Foreign Keys Constraints, to stop any user deleting data that is related in another table. The introduction of Foreign keys constraints, it’s useful, but also can turn into a double edged blade if you overuse it.

Well, there is still a lot to learn :) I’m still lurking in MySQL documentation to get more ideas (but I should stop, implementing all unneeded features will just put a hole in your goal). Yet I’ll just do this one to see how it goes, it’s a gamble after all. I need to see the impact it will cause and what benefits will be gained.

2 people like this post.

Posted in General, PHP, Programming, Projects | 1 Comment »

« Older Entries