Thursday 2 July 2015

How can I prevent SQL-injection in PHP?

How can I prevent SQL-injection in PHP?



Question: What is SQL Injection?
SQL injection is a code injection technique, which is used to attack on database driven applications. In this malicious SQL statements are inserted into an database query.


Question: How attackers attack on website with SQL Injection?
With use SQL Injection, attacker/hackers attack on web application's table/database.

For Example, Lets have a Web login-form where visitor enter the username and password to login in system.
Attacker use the special characters (i.e '"!@#$%^&*()_+)  in Web login-form, to attack the websites


What can attackers do with SQL Injection?
Below are couples of ways an attacker can harm our website.
  1. After submit the form, these special character mix the query and break the query, due to this an page will be crash. In this case attacker may able to see the queryies printed in browser(If debug mode is not off).
  2. They may use combination of special-characters due to which they may able to login in our system without having valid login.
  3. They may able to see list of users in our database
  4. They may delete record or table



How we can prevent with SQL Injection
We must filter data entered by user before saving in database OR using in SQL query.
If you are able to escaping the string, then you are able to prevent your website from SQL attack.

Following are few different ways to prevent SQL Injection in PHP, Use any of below:
Use a PHP Function For PHP 5.4
$safeData = mysql_real_escape_string($_POST["user-input"]);
mysql_query("INSERT INTO table (column) VALUES ('" . $safeData . "')");
//If you using PHP >5.5 Use MYSQL as mysql_real_escape_string is deprecated in PHP5.5


Use MySQLI (New version of MySQL)
$mysqli = new mysqli("server", "username", "password", "database_name");
$unsafeData = $_POST["user-input"];
$stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)");
$stmt->bind_param("s", $unsafeData;
$stmt->execute();
$stmt->close();
$mysqli->close();


Use PDO to connect database 
$stmt = $pdo->prepare('SELECT * FROM users WHERE name = :name');
$unsafeData = $_POST["user-input"];
$stmt->execute(array('name' => $unsafeData));



Following are SQL Vulnerable string
123' or '1  
123' or '1#
123' or 1 union select 1,database(), version()#
123' or 1 union select id, password,email from users#
123' or 1 union select id, password,email from users into outfile '/store-in-db.txt'#

Best Related Posts are Following:

  1. AES Encryption and Decryption in PHP See example.
  2. XMLRPC Wordpress Attack.
  3. How can I read request-headers in PHP.
  4. How can I prevent SQL-injection in PHP?.
  5. Shared Server Security Risk open_basedir disable_functions disable_classes.
  6. What is Best method for sanitizing user input with PHP?.
  7. Difference between Notice and warning and fatal error.
  8. How can I prevent SQL-injection in PHP [SOLVED].
  9. PHP Register Globals.
  10. PHP Sessions and Cookie and Security.
  11. PHP Check Mime Type of File - Return Information About A File.
  12. Improve Ajax Performance.
  13. PHP Captcha Code Example Code Snippets.
  14. PHP - Secure Ajax Call from Hackers - Example.
  15. htaccess code snippets example.
  16. Manage Cron Job with PHP - SSH2 Connection.
  17. Spoofed Forms - Stop Spoofed Form Submissions.
  18. Session Fixation.
  19. Session Hijacking.
  20. openssl private encrypt.
  21. Cross Site Request Forgery.
  22. SQL Injection Attack - PHP & MySQL.
  23. Cross-Site Scripting - cross site scripting examples.
  24. PHP INI settings.
Labels: