I am working on web application that will use PHP & MySQL. Application will process confidential data. I need to make it as secure as possible.
I dont want password for MySQL user that application is using to connect to database to be written in PHP file in clear text format(root account for example).
Because of that I made pseudo MySQL Role system with stored procedures. Users will login to application with their MySQL username and password. They will have privilege only to execute MySQL stored procedures but not SELECT, INSERT, UPDATE, DELETE privileges on tables that are used inside of stored procedures. Definer of stored procedures will be root account.
I have one problem with that. And that is: I dont want to store login form data ( password for examole) in session in clear text format. I cant transfer mysql connection resource object from one page to another using session.
I am thinking right now to make whole web application as one big index.php file. That way I will have MySQL connection resource allways available when I need it.
Are there batter ways to do this? Probably. I dont want to regret my choice after too much work wasted :).
Thank you in advance.
There exists a design pattern called Front Controller, basically what it does is the entire application is served through one page. You implement your own dispatcher and the dispatcher handles all the requests. Such as which object to instantiate or which page to include. This limits the security exploitation for unknown objects.
Also, for the Session hijacking you can implement your prevention mechanisms by monitoring and checking for
The database part is fairly impressive but may add additional complexities if someone else has to extend, debug your application. You can use prepared statements or even a better alternative an ORM such as Doctrine or Data Objects.
The major security exploits are through XSS and CSRF for that you will have to implement token passing mechanism within your forms and check for ” origin of request”.
Lastly, i would like to point out there are various security exploits possible in an web application. To counter these exploits lots of good frameworks exist. These issues and vulnerabilities are pre-dealt there. You can consider on the bussiness logic and let someone else handle that for you. Contrary to popular belief using frameworks will actually steepen your growth over the architectures, security and requests.
Hope this help !! cheers !