maandag 9 maart 2015

MAMCWES, The most secure mysqli php class wrapper i've ever seen.

This post is all about...... mamcwes (GPL v3)

What's that?

Easy to use PHP class for MySQL interaction, optionally allowing linking between multiple database user logins (with custom user rights on your databases/tables) and custom userlevels.

For who is it?

PHP writers / developers / coders generally.

What does it do, how does it differ from other mysqli classes?

Its an mysqli wrapper providing extensive security protection.
Basically, the required credentials for the mysqli connection are loaded only very briefly into the php memory, inside the class call. It is fully impossible for people to get the mysql login credentials.

Furtermore, it allows you to login as multiple mysql users based on your custom userlevel table, useful for hard-restricting permissions to the database, providing even more security.

How does it work?

$this->gl_conf_ulvl in the mysqlcfgdata.inc.php is the userlevel setting. Default it loads from $_SESSION['rdmstring'].
One should use the escstr function to parse any kind of user input.
Looking at the class (functions) name(s), it won't be too hard figuring out how to make the DB connection / calls.

Usage example:
First add your database connection login to the cfg file. @session_start();
$_SESSION['rdmstring']="us0rlv0l";
$_SESSION['us0rlv0l']=1; # userlevel, optionally set by your own login script. will be used to select login data (array) id from config file.





#For more protection you could use:
#$_SESSION['rdmstring']="md5(time());";

#$_SESSION[${$_SESSION['rdmstring']}]=1; # userlevel

$mysqlerrordie=0;# 1 to terminate php execution on mysql error.
#$olddir=getcwd(); #optional
#chdir("classes");
include "mysql.class.5.php"; # note: when you put the class in another folder, use chdir("classes"); first to navigate to that folder. go back with chdir($olddir); if needed.
#chdir($olddir);

$sql=@new MYSQL();
$r=$sql->query("
SELECT badword
FROM `badwords` WHERE `badword` = '".$sql->escstr(customvalidatefunction($_POST['badword']))."'"
");

if (isset($r) && $sql->count_rows($r) > 0){
foreach($sql->db_array2($r) as $item){ #also available are db_array, db_object(2) and db_assoc(2), whereas the 2 means more then 1 entry can be fetched, thus requiring processing via foreach loop.
print_r($item);
echo $item[0];
}



Basically, if you build your own userlogin system with this class, you first connect with a readonly mysql user that retrieves your user table, retrieves the userlevel of the logged in person, and than you can use that userlevel variable to select the desired mysql user credentials (permissions) for that userlevel, while the userlevel will always be stored in a random Session variable.
Untracable and ultrasecure.

Download

mamcwes 0.2 (English)

Geen opmerkingen:

Een reactie plaatsen