PHP Security and SQL Injection?

Question:

Kaydell

2008-07-12 22:10:48 UTC

I understand that if I put up a password dialog in my php / mySQL website that I open the site up to security hazards like SQL injection in which a skillful vandal could actually change a great deal of data or erase data in my mySQL database.

How can you secure a website that uses PHP / mySQL?

Six answers:

greigmcl

2008-07-13 03:26:14 UTC

SQL injection attacks have two objectives. The first is to terminate your sql query and run its own query and the second is to twist you query to give the attacker what he wants. The length of the field being queried/updated is irrelevant, a varchar(10) doesn't give you only 10 characters to attack in because I can rewrite your form in a couple of minutes and once I close out your query I can put in whatever I want.

Generally what you need to do is prevent the user from ending your query or messing with it in some way and the function mysql_real_escape_string() was designed to do that. The function's page also has some notes on sql injection and safeguarding queries.

just "JR"

2008-07-13 06:38:33 UTC

Any field that a user fills on a form that you process to a database CAN include vicious piece of code.

To avoid this, you have to check data before inserting (or updating) your tables.

Say you have a field "Address" (usually long), set as a "varchar" (100): that 100 characters can be a command!

Worse: fields defined as "TEXT".

- Before inserting/updating, check these string queries for malicious code, commands etc (words like "insert", "delete", "select", "create", file extensions such as "asm","exe"), or non-texts (ie characters below 0x1F) and reject if you find one.

However, don't be too paranoid: if your site is decent, so will be your visitors.

Just make an automatic DB backup daily.

2008-07-14 13:59:56 UTC

Before going into the details of preventing the SQL you should know how the hackers go about injecting the SQL and take the data / table name out without knowing much about your database schema and I found this wonderful article about it

http://www.go4expert.com/forums/showthread.php?t=11841

It shows you how you can get almost every aspect of data from the database and knowing this helps you protect yourself. I have been checking out my other sites now.

Thanks

Shabbir

2014-10-06 14:09:19 UTC

Learn SQL Injection in detail and ways to protect it:

http://www.hackingloops.com/2014/09/sql-injection-injection-attacks-owasp-1.html

coffeeaddict_uk

2008-07-13 11:49:52 UTC

What Greigmcl said is right..but just to add, you should 'idiot proof' your scripts by validating ANY user input data you recieve BEFORE you put it into a query. If the data is a number, use is_numeric() function on it to check it. If it isnt, then reject it.

If a string is only supposed to have certain characters in, check it only contains those characters using preg_match() or preg_match_all().

drewangell

2008-07-13 06:40:24 UTC

If you're using Dreamweaver and its tools to connect to your DB it takes care of correctly writing the code to avoid SQL injection.

If not, read up http://us2.php.net/security.database.sql-injection

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese