IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [databases]

Security related aspects of databases and database access.

Databases are designed to store huge amounts of structured data in a way that is easily accessible.

The most common type of databases are relation databases such as Oracle and MySQL. The standardized language to access these database is SQL (Structure Query Language).

Security aspects related to databases include various approaches for access control and secure stored procedures. There is a dedicated tag for the injection of query fragments into sql statements: .

728 questions
133
votes
3 answers

Is HostGator storing my password in plaintext?

I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss. I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all…
Marquizzo
  • 1,907
  • 4
  • 9
  • 13
80
votes
7 answers

SQL injection -- why isn't escape quotes safe anymore?

Raw SQL When you're writing SQL -- for anything that takes human input really, a lot of things have been done to avoid the injection. Everyone that's heard of SQL injection knows that (I'm going to use PHP as a sample) doing something like this…
Incognito
  • 5,204
  • 5
  • 27
  • 31
77
votes
4 answers

Is it generally a bad idea to encrypt database fields?

I work on a tiny company, it's literally me (the programmer) and the owner. The owner has asked me to encrypt several fields in a database to protect the customers data. This is a web application that helps law firms manage their data, so basically…
Bhaskara
  • 821
  • 1
  • 7
  • 6
75
votes
10 answers

Why Disallow Special Characters In a Password?

The culprit in this case is a particular (and particularly large) bank that does not allow special characters (of any sort) in their passwords: Just [a-Z 1-9]. Is their any valid reason for doing this? It seems counter productive to stunt password…
Gary
  • 851
  • 1
  • 6
  • 8
66
votes
7 answers

Is it safe/wise to store a salt in the same field as the hashed password?

In using Argon2 for hashing passwords in my application, I've noticed it generates a string like this (e.g. for password "rabbit"): $argon2i$v=19$m=65536,t=3,p=1$YOtX2//7NoD/owm8RZ8llw==$fPn4sPgkFAuBJo3M3UzcGss3dJysxLJdPdvojRF20ZE= My understanding…
PenumbraBrah
  • 771
  • 1
  • 5
  • 6
63
votes
8 answers

How do you explain to experts that a database server should not reside in the DMZ?

Our security experts, database administrators, network team and infrastructure team are all saying it's OK to have the database server located in the DMZ along with the HTTP server and middle-ware server. Their reason: If the database server is…
bruce bana
  • 633
  • 1
  • 5
  • 7
62
votes
2 answers

Why is credit card information not stolen more often?

Nowadays there are a lot of hacked websites with stolen login information. In many cases the website states that no credit card data and/or payment information was stolen. Why is that? What I assume is: That both, the database storing the payment…
tim
  • 851
  • 7
  • 13
52
votes
13 answers

Sequential identifying string that can't be reverse engineered (the "invoice number" problem)

Let's say I operate a website where you can create cat pictures. I give every cat picture a unique identifier so that it can be shared on social media with http://catpictures.com/base62Identifier. I could give the cat pictures sequential identifiers…
Escher
  • 603
  • 5
  • 8
41
votes
8 answers

Does password-protecting a database living next to the application add any security?

I've seen setups where a password-protected database resided on the same server as an application holding the credentials to said database in plain text. What are the benefits of such a setup over a simply unprotected database? Apart of some…
Cedric Reichenbach
  • 522
  • 4
  • 8
39
votes
4 answers

Is it safe to store the database password in a PHP file?

My connection.php file stores the credentials to connect to the database: When a page need to connect the database I just…
OammieR
  • 493
  • 1
  • 4
  • 7
38
votes
4 answers

avoid hitting DB to authenticate a user on EVERY request in stateless web app architecture?

Summary Once a user logs into a web site and his username/password credentials are verified and an active session is established, is it possible to avoid hitting the DB for each and every request from that user? What is the recommended method of…
onlinespending
  • 483
  • 1
  • 5
  • 6
36
votes
9 answers

Can I conceal which account in my database is the admin account, so an attacker won't know which hash to crack first?

Say I had a database that looked like this: Name Password hash (bcrypt) Status -------------------------------------------------------------------------------- Dave $2y$10SyyWTpNB.TyWd3nM…
Melkor
  • 1,285
  • 2
  • 10
  • 12
36
votes
4 answers

Is using a DB prefix for tables more secure?

I see systems that use database prefixes. Some call it a security feature. Some call it a way to have multiple installations in one database. The main pro is that it's harder to guess the whole table name. On the other hand, if you have some kind of…
janw
  • 463
  • 4
  • 5
34
votes
4 answers

Is it okay to reveal database's table names?

I'm developing web application that uses database. I have to do some operations which needs database table names and db table schema. Will it be secure if I send this kind of information to client side (JavaScript via JSON) or should I keep those…
Krystian
  • 677
  • 1
  • 7
  • 11
28
votes
6 answers

Filter user input before the database or upon display?

Given a web application where user data must be properly escaped to avoid XSS, is it better to try to remove the "bad stuff" before it enters the database, or is it best to allow it in the database but be careful about escaping output when it is…
bstpierre
  • 4,868
  • 1
  • 21
  • 34
1
2 3
48 49