SQL Injection :: What It Is, And How To Prevent It Options Rating

[sandman85048]

SQL Injection is a form of hacking that has taken down innumerable amounts of websites, and it's no comforting idea that your site could be next. In this tutorial, I will give you a brief synopsis of what SQL Injection really is, and how to protect your website from it. This tutorial assumes that you have a fairly good knowledge of PHP, you understand GET and POST methods, and you have used and at least partly understand SQL.

SQL Injection is usually done through areas where user input is added into a database, or where GET/POST values are parsed and added into a database. For example, this is a piece of code that will get a POST value and add it to the database:

CODE

mysql_query("INSERT INTO table VALUES('" . $_GET["value"] . "')");

Now let's create the scenario. That code is located at http://example.com/update.php. If the page was visited with the GET values:
http://example.com/update.php?value=bwahaha
This would give us an SQL query like this:
INSERT INTO table VALUES('bwahaha')

That code is all fine and dandy, but what if someone visited the page like this:
http://example.com/update.php?value=blah'); DELETE * FROM table WHERE value != 0; INSERT INTO table VALUES('HACKED!
This would make an SQL query:
INSERT INTO table VALUES('blah'); DELETE * FROM table WHERE value != 0; INSERT INTO table VALUES('HACKED!')
That is one piece of malicious code. This would essentially delete all rows from the database, except for ones with a value of 0. Then, you would probably have one row which would let you know that you were hacked.


Now you probably want to know how to protect your site(s) from this, right? It's fairly simple, actually.

We can use a function from a code snippet I published, called sql_sanitize.

CODE

function sql_sanitize( $sCode ) {
        if ( function_exists( "mysql_real_escape_string" ) ) { // If PHP version > 4.3.0
                $sCode = mysql_real_escape_string( $sCode ); // Escape the MySQL string.
        } else { // If PHP version < 4.3.0
                $sCode = addslashes( $sCode ); // Precede sensitive characters with a slash \
        }
        return $sCode; // Return the sanitized code
}

Now let's put this into action. Remember the code we had earlier? Let's change that:
mysql_query("INSERT INTO table VALUES('" . sql_sanitize($_GET["value"]) . "')");
This will "sanitize" the code and protect your database from people doing anything malicious to it.

Well, there you go! I suggest you implement this method wherever you are putting user input into the database. Instead of using $_GET["value"], for instance, just use sql_sanitize($_GET["value"])! It really is that simple.