(No Ratings Yet)
Loading ...PHP Security and SQL Injection?
I understand that if I put up a password dialog in my php / mySQL website that I open the site up to security hazards like SQL injection in which a skillful vandal could actually change a great deal of data or erase data in my mySQL database.
How can you secure a website that uses PHP / mySQL?
————–
Thanks to everyone for all of the answers.
Do I understand correctly that I should call the following function on all input before making it a part of my SQL query and that this function will take care of any SQL injection problems?
mysql_real_escape_string()
Is this all that I need to do is call this function on all user input?
http://uk3.php.net/mysql_real_escape_string
Posted in php | 
Tags: dialog, injection, mysql, mysql database, password, password dialog, php, php mysql, security, security hazards, Site, sql, vandal, Website
5 Responses to “PHP Security and SQL Injection?”
Any field that a user fills on a form that you process to a database CAN include vicious piece of code.
To avoid this, you have to check data before inserting (or updating) your tables.
Say you have a field “Address” (usually long), set as a “varchar” (100): that 100 characters can be a command!
Worse: fields defined as “TEXT”.
- Before inserting/updating, check these string queries for malicious code, commands etc (words like “insert”, “delete”, “select”, “create”, file extensions such as “asm”,”exe”), or non-texts (ie characters below 0x1F) and reject if you find one.
However, don’t be too paranoid: if your site is decent, so will be your visitors.
Just make an automatic DB backup daily.
My Mind (the Bible)
Report this comment
If you’re using Dreamweaver and its tools to connect to your DB it takes care of correctly writing the code to avoid SQL injection.
If not, read up http://us2.php.net/security.database.sql-injection
My Mind (the Bible)
Report this comment
SQL injection attacks have two objectives. The first is to terminate your sql query and run its own query and the second is to twist you query to give the attacker what he wants. The length of the field being queried/updated is irrelevant, a varchar(10) doesn’t give you only 10 characters to attack in because I can rewrite your form in a couple of minutes and once I close out your query I can put in whatever I want.
Generally what you need to do is prevent the user from ending your query or messing with it in some way and the function mysql_real_escape_string() was designed to do that. The function’s page also has some notes on sql injection and safeguarding queries.
http://uk3.php.net/mysql_real_escape_string
Report this comment
What Greigmcl said is right..but just to add, you should ‘idiot proof’ your scripts by validating ANY user input data you recieve BEFORE you put it into a query. If the data is a number, use is_numeric() function on it to check it. If it isnt, then reject it.
If a string is only supposed to have certain characters in, check it only contains those characters using preg_match() or preg_match_all().
http://uk3.php.net/mysql_real_escape_string
Report this comment
Before going into the details of preventing the SQL you should know how the hackers go about injecting the SQL and take the data / table name out without knowing much about your database schema and I found this wonderful article about it
http://www.go4expert.com/forums/showthread.php?t=11841
It shows you how you can get almost every aspect of data from the database and knowing this helps you protect yourself. I have been checking out my other sites now.
Thanks
Shabbir
http://www.go4expert.com/
Report this comment