1

We are 1-3 guys maintaining a fairly large but clumsy developed-in-house website. With around 900+ mysql tables, and a lot of data access code in PHP. Let's say it is huge amount of code for just 1 or 2 guys to patch them all. So we decided to fix as many vulnerabilities as possible (prepared statement) but at the same time accept the fact that it is impossible to reach 100% sql-injection proof.

We have list many things we could "easily" do to reduce the risk/damage from SQLi hackers. One of them is split admin module to and internal server which is not open to the internet, this did help a lot when the hacker(s) managed to crack admin password but could not do much harm to the system.

Now we want even more: Hiding admin id from the database, admin along with moderators id are currently stored in some "Moderators" table. So we think it is easier to us to move admin ID to some (config) file , because we rarely add/remove admin. Moderators id is still store in that table though. Now hackers need to guess which user among half a million record of "user" table.

My question : with admin module not available to the internet, is the hosting server ( Ubuntu ) safe from being taken over by hackers? In the mean time, we tolerate the attacks to normal/moderator user and the intrusion to the DB.

P/S :

  1. The website owner is gathering more $$ for ultimate SQLi fix.
  2. It seems even prepared statement are not 100% safe: Are prepared statements 100% safe against SQL injection?
  3. Even a baby know hard-coding is a big "no no" but that the best we can think of ....
Phung D. An
  • 1,051
  • 1
  • 11
  • 13
  • 1
    For #2, read the linked answer again. Nothing is ever 100%, but prepared statements effectively solve the problem in most cases. – multithr3at3d Jul 18 '18 at 18:22
  • 2
    For #2, read the linked answer again. There is the fine print in the end saying all the issues has been fixed long time ago. In all, it's one of the worst and misleading topics on Stack Overflow. Parameterized queries are 100% safe when applicable, unless you are intentionally trying to shoot yourself i the foot. – Your Common Sense Jul 19 '18 at 07:19
  • @YourCommonSense : we do agree that prepared statement is the best thing in the long run – Phung D. An Jul 19 '18 at 14:56

1 Answers1

2

There's a general maxim that trying to hide information within your code base (or table structure in this case) isn't actually helping to secure your software. It's referred to as security through obscurity and is not considered good practice.

I have sympathy for your situation because I have certainly wandered into some code spaghetti in my time, but really your best bet here is to continue to refactor the code and reduce attack vectors.

When you say "crack the admin password" do you mean that someone has already gotten in and stolen the password hashes? If this is a major concern of yours, you should absolutely salt your passwords if not already doing so -- this will help make it much more difficult for attackers to steal passwords.

In terms of developing a triage and working on your refactor, I would highly recommend The 2018 Guide To Building Secure PHP Software.

jsaigle
  • 269
  • 1
  • 5