Overview This lab walks you through using Windows, Apache, MySQL and PHP (WAMP) to create simple, yet very powerful PHP applications connected to a MySQL database. For developers using Linux, the acronym becomes LAMP (Windows (W) is replaced by Linux (L)). The basics of inserting, updating, deleting and selecting from MySQL using PHP forms will be provided. Some “bad†security practices that lead to SQL injection vulnerabilities will be exposed as well as some techniques to mitigate these issues. Injection, and particularly, SQL injection continues to plague web applications that use any programming language and a database. Caution and best practices must be used starting in the initial design of an application to eliminate these significant software vulnerabilities. Learning Outcomes: At the completion of the lab you should be able to: 1.Create least privilege MySQL accounts for the Web connection 2.Insert data into a MySQL database using PHP forms 3.Query existing data in a MySQL database using PHP forms 4.Delete data from a MySQL database using PHP forms 5.Update data in a MySQL database using PHP forms 6.Identify and use best practices to eliminate SQL injection Lab Submission Requirements: After completing this lab, you will submit a word (or PDF) document that meets all of the requirements in the description at the end of this document. In addition, your associated files should be submitted. You should submit multiple files in a zip file. Virtual Machine Account Information Your Virtual Machine has been preconfigured with all of the software you will need for this class. You have connected to this machine in the previous labs. Reconnect again using the Remote Desktop connection, your Administrator username and password. We will first use a technique very susceptible to SQL injection and then a better approach using prepared statements. Note, the first technique is what NOTto do. It is provided so you can easily identify this issue in future code. In addition, when connecting to a database through a Web interface, the connection credentials should never be from the root account. If your Web connection becomes compromised and the account had root privileges to your database, the hacker now has root privileges to the database as well. The least privilegerule should always be adhered to when assigning user privileges. To make sure the root account is not used for web connections, we need to create a couple of new MySQL users and a new database. One user will be the owner of the new database and have most
