Jump to content

PhCyber Tunnel Available!

Get it on Playstore
Download Now!

Ad Space For Rent

Get Your Product up here and let our users see them first when they visit our Forum. We have thousands of page views everyday!
More Info
Info
  • Welcome to PhCyber
  • Explore and Enjoy Browsing!
  • Lots of useful topics
  • Stay active and receive prizes
Sign in to follow this  
Cyber

Prevent SQL Injection

Recommended Posts

SQL injection is a technique, used to attack data-driven applications. Using this method, hackers will try to execute their SQL statements within your application and access your database data.

Here is an example SQL injection. Let's consider you have a login form with two fields - email (text field) and password (password field). Upon login, you will build and execute a similar query:

 

For Established Members Only. Check this link for more info https://phcyber.com/topic/1703-phcyber-ranking/


You can see that the query is searching for a user in `users`table, which matches the email and password posted via the login form. However, since both email and password are not properly handled, an attacker can modify the query. Assume that they enter:

Email: [email protected]
Password: mypassword

The constructed query will be: 

 

For Established Members Only. Check this link for more info https://phcyber.com/topic/1703-phcyber-ranking/

 


Which seems to be correct. However, if the attacker uses:

Email: [email protected]
Password: mypassword'; DROP TABLE 'users

the query will become: 

 

For Established Members Only. Check this link for more info https://phcyber.com/topic/1703-phcyber-ranking/

 


And of course, you do not want people to execute such queries over your database.

To protect your PHP application from being abused via such SQL injections, you should correctly set all SQL queries that are being run. With older versions of PHP (>= 4.3.0, 5) you would do that with mysql_real_escape_string(). So above query would look like this:

 

For Established Members Only. Check this link for more info https://phcyber.com/topic/1703-phcyber-ranking/



This is how the SQL injection protected query looks like now:
 

For Established Members Only. Check this link for more info https://phcyber.com/topic/1703-phcyber-ranking/

You can see that the data being passed via $_POST is now escaped and DROP TABLE query will not be executed separately, but will be considered as a part of the password string.


With the latest versions of PHP you can now use PDO and prepared queries. Here is an example:

 

For Established Members Only. Check this link for more info https://phcyber.com/topic/1703-phcyber-ranking/


The key function here is prepare(). It secures the SQL query and protects it from SQL injections.

There are other ways to verify that data passed via SQL queries is valid and not abused. For example, if you expect an integer to be passed, you may use intval() to convert the inputted data into an integer.

 

For Established Members Only. Check this link for more info https://phcyber.com/topic/1703-phcyber-ranking/

 


Or if you expect an email address, you can use email validation to guarantee that $_POST["email"] is a valid email address. Take a look at our PHP Validation And Verification tutorial for different string validations.

SQL injection is one of the top website vulnerabilities, so you should be very careful when using user inputted data to construct SQL queries.


  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  



×
×
  • Create New...