Prevent SQL Injection Attacks in PHP
Sunday, August 24th, 2008
Recently I posted about connecting to a MySQL database and provided a simple function that comes in handy – keep your username and password in one place. This advice is all relative to PHP (Hypertext Preprocessor) programming. But how secure is your database from user input? One of the biggest threats to your security will be right at that front door where the rubber meets the road – username and password login.
The following YouTube video (3 minutes) shows a straight forward MySQL injection. It should give you the idea. A read of Wikipedia’s SQL injection resource and Steve Friedl’s tips on SQL injection attacks (particularly in Mitigations towards the bottom of the page) should take you a little further. It’s amazing how many web developers remain unaware of the problem – and I freely admit it only became something on my radar about 4 years ago when a client’s guestbook was hacked this way by script kiddies in the United States. Lesson two was to always keep open source software up-to-date.
The short answer for protecting yourself from this type of user manipulation of your database can involve a few reasonably simple steps. As a first measure, you might want to use regular expressions in your programming to ensure what you receive from the user is valid input. I do admit regular expressions might be a bit hardcore for some, but there are plenty of freely available snippets out there now you know what to look for.
