SQL injection is becoming a problem for web developers- especially those new to the field who aren’t up to speed on how insecure PHP can really be. But as the experts like to say, PHP isn’t the problem- it’s the knowledge of the programmer that counts when it comes to preventing SQL injection attacks.
It’s rather frightening to think that a statement such as “b’ OR ‘b’='b’” can render one’s security useless. But this is indeed true, and is what we call an SQL injection. SQL injections have been the most popular way to “hack” a website in recent years. As long as the input can be validated before it is passed along to the SQL query, we can ensure that nothing bad will go wrong.
Magic quotes have long helped web developers secure their SQL query statements. But as it stands today, this function is depreciated and no longer in use. Magic quotes have received a bad reputation since they do escape quotes- but they do so on the entire input, and not necessarily just a certain field we need to escape. Magic quotes are a hassle, and can even lead to performance issues. Thus, developers tend to ignore them.
The common way to protect against an SQL injection attack is to simply use the mysql_real_escape_string() function that PHP has support for. When passing POST values through this function, the result becomes an escaped string that can’t be used to manipulate an SQL query- perfect for our situation.
Another good way to prevent SQL injections is to simply restrict authority in SQL users where possible. For instance: it would be a good idea to create individual users that do specific things: such as create a table or update rows in the said table. This can help make the task of ruining one’s hard work much harder for malicious web users, although it’s a lot more work for webmasters (Although well worth it).
It should be noted that programs and web applications that stop SQL injections should not be obtained- since they commonly cost quite a bit of money. As long as webmasters take precautions with what they create, there should be no reason to spend hundreds of dollars on software that only makes use of escape characters and formatting data correctly. This type of application is created to con webmasters into buying something they don’t need- so dont fall victim to them!
Final Thoughts
There isn’t much effort that needs to be exerted in order to declare a database safe from harm. All that is needed is a little prevention- which comes from avid usage of the function and design principles previously stated. It may also be a good idea to use SQL injection scanners on large web applications to cover holes that might not have been covered over the course of the development period.
You must be logged in to post a comment.