-4

I am going to run a Tor Hidden Service on a Linux server. My site will have an SQL database. This DB contains user login, and a few other basic details.

If it makes a difference depending on the software I use, please answer the following:

1) What SQL database software should I use for the best security on my site? IE to prevent SQL injections and other vulnerabilities etc.

2) The database software should also ensure the privacy/anonymity of the server, so no IP address leaks etc... I know having a secure server can reduce this risk so that no attacks can be performed which could leak valuable data. However, perhaps a certain database software might be better at this? I am unsure.

Only free software, preferably open source, the easier to setup and manage the better. I know sanitizing inputs, correct setup and other factors apply when it comes to security.

EDIT: People have seriously misunderstood the question. I was just curious if database software existed which had additional security in case any attacks such as SQLI had somehow gotten passed the application level security.

I am NOT allowing any users to communicate with the database directly, of course there is an application between user and DB. I am once again curious if any DB software would be better than others at protecting the anonymity of the server, perhaps by having an option which prevents the server connecting to anything which isn't local host so an attacker can't make it connect to a site they control to see any incoming connections and log their IPs (I made this up as an example get over it).

Improve this question
3
  • 4
    SQL injections happen in the application. The database itself is not relevant for the vulnerability.
    – Philipp
    CommentedMay 25, 2016 at 12:00
  • 4
    To me this sounds like a request for product recommendations, and that is not on topic here.
    – Anders
    CommentedMay 25, 2016 at 12:00
  • @Philipp Please check my edit, sorry for any ambiguity before.
    – k1308517
    CommentedMay 25, 2016 at 12:30

1 Answer 1

Reset to default
8

TL;TR: these are not problems of the database. Maybe you are using a wrong architecture for your hidden service. And regarding the additional information after the edit of the question see at the end of this answer.

What SQL database software should I use for the best security on my site? IE to prevent SQL injections and other vulnerabilities etc.

SQL injections are not a problem of the database but of the application using a database which forwards user-input badly filtered directly to the database.

The database software should also ensure the privacy/anonymity of the server, so no IP address leaks etc...

This sounds like you want to make the database directly available to the user, i.e. without an application around the database. This is a very bad idea because then the user can do anything with the database and does not even need to use SQL injections.

If you instead properly restrict access to the database, i.e. only allow access from inside your application, then anonymity is not a problem of the database because it does not know the users IP address. Thus it only depends on what kind of data you put in the database which is a problem of your application and not the database.

I recommend to have a closer look at multi-tier architecture and make sure that you only provide public access to the presentation tier (i.e. the website) but never allow outside access to the data tier (i.e. the database). This access should only be done by the logic tier and no unfiltered user data should ever gets passed to the database (i.e. prevent SQL injection).

EDIT: People have seriously misunderstood the question. I was just curious if database software existed which had additional security in case any attacks such as SQLI had somehow gotten passed the application level security.

In this case the question about anonymity makes not really sense, because if the database is not directly exposed to the user then it can only know the users IP address if the application explicitly provides this information to the database.

As for additional SQLi protection: The task of a database is expected to execute the commands sent to it. The task is not to check if these commands might be caused by unfiltered user input. And at this stage there is not even enough information about this because it is unknown what is user input and what not. Thus only crude heuristics can be applied or additional filters which limit the commands which can be executed. I'm not aware of any database which has such heuristics already built in but there are web application firewalls and IDS which include such heuristics or even database firewalls.

Improve this answer

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.