|
||||||
| Security Tutorials Tutorials on how to protect your software against crackers. |
![]() |
|
|
LinkBack | Thread Tools | Search this Thread | Display Modes |
|
|||||
|
What is an SQL injection? Before I fully divulge what an SQL injection is, lets setup a simple scenario. Bob is a freelance programmer heired by the Extreme Banking Association to development an online banking system, which stores the credit card information of its users. Bob creates a mysql database similar to the following structure: SQL Code:
He then imports some data into the database: SQL Code:
At this point, the manager of the project should see Bob's incompetence and lack of skill. What kind of idiot would store passwords in plain text? Anyway, Bob continues with this code and creates a basic login system, and it has a structure similar to the following: PHP Code:
At this point, it does everything the manager of the project wants, enter your username/password and the users credit card number is displayed. So, Bob withdraws his money from the escrow account and goes on his merry way. One day an ub3r l33t h4x0r comes along, and attempts an SQL injection. He sees that the form uses a GET method request, and attempts to alter the data that is sent to the server. He enters the following line into his address bar: Quote:
Quote:
Quote:
PHP Code:
How do I prevent SQL injections? The answer is simple – never trust user input. That is the single most important concept in developing a secure application. The concept is simple, but taking action is a little more difficult. The easiest way to prevent SQL injections, is to escape data. The PHP developers implemented a feature(?) called Magic Quotes, which escapes quotes, NULL characters, backslashes, among other characters. This was designed as a security feature to help prevent SQL injections, however has caused both me, and many developers headaches, which is probably why as of PHP 6.0, Magic Quotes will be depreciated. As a result, it is a poor idea to rely on Magic Quotes as a solution to your SQL injections. In fact, even with Magic Quotes enabled, SQL injections are still possible. The code I am going to provide you is probably not the most secure code, as I am far from an expert on security, but I have found it as a decent solution for many of my problems regarding SQL injections. First thing we want to do is remove all of the damage done by Magic Quotes: PHP Code:
Next, take advantage of the mysql_real_escape_string() function in our query: PHP Code:
PHP Code:
Finally, strengthen the session validation, and the final script will look like this: PHP Code:
As far as SQL injections go, you should be pretty safe! Last edited by John; 12-15-2007 at 10:39 PM.. |
|
|||
|
Pretty good article. There's a little bug in your SQL injection though. I don't think the SQL injection you come up with would work correctly. Code:
' OR 1 = '1 Code:
' OR '1' = '1 I actually made a blogpost on this topic a while ago, if anyone should be interested. Last edited by v0id; 09-24-2007 at 07:38 AM.. |
|
|||||
|
Excellent article! Thank you for the Tutorial.
__________________
CodeCall Blog | CodeCall Wiki | Shareware Site | Linux Forum | Write a Blog Post a job on our freelance section! Paste between computers/devices and Collaborate on Code!. |
|
|||||
|
Quote:
|
|
|||||
|
Excellent question. Your method achieves the exact outcome as mine; however, you should note that $_GET is an (associative) array. Using array_map and passing it the callback function stripslashes(), you can strip the slashes of every element in the $_GET array by simply calling that single function. Whereas you call stripslashes() on every element individually, using my method, it is not necessary (as array_map will do it automatically). ![]() |
![]() |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| PHP 4 end of life announcement | Jordan | News | 4 | 08-30-2007 09:55 AM |
| Question: free webhosting with PHP, SMTP, and at least one SQL database | skilletsteve | Hosting and Registrars | 5 | 12-08-2006 04:36 AM |
Algorithms and Data Structures
Programming Language Popularity
Code Collaboration
Podnet IRC Network
AmpHosted
Goal #1: 1,000 Blogs
Goal #2: 1,000 Wiki Pages
Goal #3: 300,000 Posts
Goal #4: 20,000 Threads
Done: 30%, 23%, 56%, 75%