Join 300,350 Programmers for FREE! Get instant access to thousands of experts, tutorials, code snippets, and more! There are 1,485 people online right now. Registration is fast and FREE... Join Now!
SQL Injection is a form of hacking that has taken down innumerable amounts of websites, and it's no comforting idea that your site could be next. In this tutorial, I will give you a brief synopsis of what SQL Injection really is, and how to protect your website from it. This tutorial assumes that you have a fairly good knowledge of PHP, you understand GET and POST methods, and you have used and at least partly understand SQL.
SQL Injection is usually done through areas where user input is added into a database, or where GET/POST values are parsed and added into a database. For example, this is a piece of code that will get a POST value and add it to the database:
CODE
mysql_query("INSERT INTO table VALUES('" . $_GET["value"] . "')");
Now let's create the scenario. That code is located at http://example.com/update.php. If the page was visited with the GET values: http://example.com/update.php?value=bwahaha This would give us an SQL query like this: INSERT INTO table VALUES('bwahaha')
That code is all fine and dandy, but what if someone visited the page like this: http://example.com/update.php?value=blah'); DELETE * FROM table WHERE value != 0; INSERT INTO table VALUES('HACKED! This would make an SQL query: INSERT INTO table VALUES('blah'); DELETE * FROM table WHERE value != 0; INSERT INTO table VALUES('HACKED!') That is one piece of malicious code. This would essentially delete all rows from the database, except for ones with a value of 0. Then, you would probably have one row which would let you know that you were hacked.
Now you probably want to know how to protect your site(s) from this, right? It's fairly simple, actually.
function sql_sanitize( $sCode ) { if ( function_exists( "mysql_real_escape_string" ) ) { // If PHP version > 4.3.0 $sCode = mysql_real_escape_string( $sCode ); // Escape the MySQL string. } else { // If PHP version < 4.3.0 $sCode = addslashes( $sCode ); // Precede sensitive characters with a slash \ } return $sCode; // Return the sanitized code }
Now let's put this into action. Remember the code we had earlier? Let's change that: mysql_query("INSERT INTO table VALUES('" . sql_sanitize($_GET["value"]) . "')"); This will "sanitize" the code and protect your database from people doing anything malicious to it.
Well, there you go! I suggest you implement this method wherever you are putting user input into the database. Instead of using $_GET["value"], for instance, just use sql_sanitize($_GET["value"])! It really is that simple.
could you only use this for when you are adding to the database what if you where just pulling records out of the database to display in a table could you also use the sanitizer function then??
function sql_sanitize( $sCode ) { if ( function_exists( "mysql_real_escape_string" ) ) { // If PHP version > 4.3.0 $sCode = mysql_real_escape_string( $sCode ); // Escape the MySQL string. } else { // If PHP version < 4.3.0 die('Your PHP version is too old!'); // Addslashes is unsafe } return $sCode; // Return the sanitized code }
It would probably best not to try addslashes at all. There are far too many vectors to get around addslashes. PHP 4 will be EOL'd starting Jan 1, 2008 for a reason. Just FYI. If I wanted to try out SQL injection, I'd find out the PHP version first, to see if I could just fire in some escape codes and the like to get it to error out.
SQL Injection is a form of hacking that has taken down innumerable amounts of websites, and it's no comforting idea that your site could be next. In this tutorial, I will give you a brief synopsis of what SQL Injection really is, and how to protect your website from it. This tutorial assumes that you have a fairly good knowledge of PHP, you understand GET and POST methods, and you have used and at least partly understand SQL.
SQL Injection is usually done through areas where user input is added into a database, or where GET/POST values are parsed and added into a database. For example, this is a piece of code that will get a POST value and add it to the database:
CODE
mysql_query("INSERT INTO table VALUES('" . $_GET["value"] . "')");
Now let's create the scenario. That code is located at http://example.com/update.php. If the page was visited with the GET values: http://example.com/update.php?value=bwahaha This would give us an SQL query like this: INSERT INTO table VALUES('bwahaha')
That code is all fine and dandy, but what if someone visited the page like this: http://example.com/update.php?value=blah'); DELETE * FROM table WHERE value != 0; INSERT INTO table VALUES('HACKED! This would make an SQL query: INSERT INTO table VALUES('blah'); DELETE * FROM table WHERE value != 0; INSERT INTO table VALUES('HACKED!') That is one piece of malicious code. This would essentially delete all rows from the database, except for ones with a value of 0. Then, you would probably have one row which would let you know that you were hacked.
Now you probably want to know how to protect your site(s) from this, right? It's fairly simple, actually.
function sql_sanitize( $sCode ) { if ( function_exists( "mysql_real_escape_string" ) ) { // If PHP version > 4.3.0 $sCode = mysql_real_escape_string( $sCode ); // Escape the MySQL string. } else { // If PHP version < 4.3.0 $sCode = addslashes( $sCode ); // Precede sensitive characters with a slash \ } return $sCode; // Return the sanitized code }
Now let's put this into action. Remember the code we had earlier? Let's change that: mysql_query("INSERT INTO table VALUES('" . sql_sanitize($_GET["value"]) . "')"); This will "sanitize" the code and protect your database from people doing anything malicious to it.
Well, there you go! I suggest you implement this method wherever you are putting user input into the database. Instead of using $_GET["value"], for instance, just use sql_sanitize($_GET["value"])! It really is that simple.
does this method only used for $_GET statements...what about $_REQUEST statements...?
After reading the article, I still don't quite get what's the problem with not sanitizing the GET parameters when using PHP-MYSQL (in terms of unauthorized insertions/deletion of data). For instance, with regard to the sql injection example in the article,
since php mysql_query method does not support multiple queries, so stacking queries as the example above should not work (will throw sql error). Is there really anyway to put sql injection into a php-mysql script even without the sanitization of the GET parameters? Hope you can shed some more light on this subject. Many thanks.
After reading the article, I still don't quite get what's the problem with not sanitizing the GET parameters when using PHP-MYSQL (in terms of unauthorized insertions/deletion of data). For instance, with regard to the sql injection example in the article,
since php mysql_query method does not support multiple queries, so stacking queries as the example above should not work (will throw sql error). Is there really anyway to put sql injection into a php-mysql script even without the sanitization of the GET parameters? Hope you can shed some more light on this subject. Many thanks.
Good catch, However not everyone creates php applications for mysql, and the other flavors are particularly vulnerable to this.
MYSQL on the other hand, IS, still vulnerable of modifying statements, this article doesnt even break the tip on sql attacks. For a better primer, and one tuned to php, visit my article below:
I LOVE sql injections and XSS, as a pen-tester, it brings out creativity, and it is a lot of fun battling against the server and filters to try to take control of execution.
/* Function: sql_sanitize( $sCode ) Description: "Sanitize" a string of SQL code to prevent SQL injection. Parameters: $sCode: The SQL code which you wish to sanitize. Example: mysql_query('UPDATE table SET value="' . sql_sanitize("' SET id='4'") . '" WHERE id="1"'); Requirements: PHP version 4 or greater */ function sql_sanitize( $sCode ) { if ( function_exists( "mysql_real_escape_string" ) ) { // If PHP version > 4.3.0 $sCode = mysql_real_escape_string( $sCode ); // Escape the MySQL string. } else { // If PHP version < 4.3.0 $sCode = addslashes( $sCode ); // Precede sensitive characters with a slash \ } return $sCode; // Return the sanitized code }
where i use it ... i mean in which page.......
or only
CODE
mysql_query('UPDATE table SET value="' . sql_sanitize("' SET id='4'") . '" WHERE id="1"');
alright, so here is my code, i would like to know what the problem is? i thought it was good, but one of the mods here said its still opening for sql injection.
Here is what i have, and on all the pages on my website, i simply add an include ('functions.php'); anyway to improve this? thanks!
You would want to sanitize everything you put into any query sent to the database server that is not hard coded in the script! It doesn't matter if the query is to retrieve information or to insert information, everything has to be sanitized and nothing can be trusted! It's that simple!
could you only use this for when you are adding to the database what if you where just pulling records out of the database to display in a table could you also use the sanitizer function then??
Forum Index:
Programming Help |
C and C++ |
VB6 |
Java |
VB.NET |
C# |
ASP.NET |
PHP |
ColdFusion |
Perl and Python |
Ruby |
Databases |
Other Languages |
Game Programming |
Mobile Development |
Software Development |
Computer Science |
Industry News |
Programming Tutorials |
C++ Tutorials |
Visual Basic Tutorials |
Java Tutorials |
VB.NET Tutorials |
C# Tutorials |
Linux Tutorials |
PHP Tutorials |
ColdFusion Tutorials |
Windows Tutorials |
HTML/JavaScript Tutorials |
CSS Tutorials |
Flash Tutorials |
Web Promotion Tutorials |
Graphic Design & Photoshop Tutorials |
Software Development Tutorials |
Database Tutorials |
Other Language Tutorials |
ASP.NET Tutorials |
Game Programming Tutorials |
WPF & Silverlight Tutorials |
SQL Injection :: What It Is, And How To Prevent It
11 Nov, 2007 - 09:03 AM
| 
