SoftwareSecurity2012/Group 6/FAQ

Uit Werkplaats
Ga naar: navigatie, zoeken

Realization of the DBLayer

For the realization of the DBLayer, a DBLayer object is created. The classes therefore are located in /include/dblayer/. This folder contains implementions for the databases

  • MySQLi innodb
  • MySQL innodb
  • MySQLi
  • MySQL
  • pgSQL
  • SQLite

Depending on which database was chosen, the file /include/dblayer/common_db.php creates a DBLayer object for the chosen database, which are located in /include/dblayer/<database-type>.php

The classes contain various functions, the most important for us:

escape()

Escapes given input to be secure for the processing database.

To realize this, built-in functions provided by php are used. In the case of MySQL for example, this is mysql_real_escape_string(). If this function is not available, MySQL_escape_string() is used.

Therefore, we can claim that those escape functions are secure for the intended database at present knowledge.

Installation and Generating config.php

The installation file install.php contains the procedures to create the required tables in the selected database. It is of course essential that a specific user with limited credentials is the only one allow to modify the selected database. Also, it is important to establish the right reading and writing permissions to the folders that require so and not to the whole folder containing the Fluxbb website. These two factors are out of scope from our responsabilities, however, we found useful to mention them since this can have direct negative security implications for the system as a whole.

Coming back to the installation process, depending on the chosen database the system loads the appropiate DBLayer class. Once loaded, the DB object is created with the information provided by the user which allows to connect to the database and create the necessary tables. The tables are created using the functions located in the corresponding <database-type>.php file. Once the tables are set, users groups along with guest and admin user accounts are created through INSERT INTO statements. All these SQL statements utilize the escape() function explained in the previous section, asssuring this file cannot be used to deploy SQL injections. Furthermore, the installation file contains statements that check if the forum is already installed, preventing a possible misusage.

After the installation process finishes, the file config.php is created. This file contains access-information for the database, as well as cookies and the required system's global variables.

An example of the config.php generated when we installed our own forum is located here