PHP Security: SQL Injections
In our previous post “Writing secure codes in PHP” we discussed about the most basic tips on creating secure PHP applications. Here we provide more insight to one of the threats discussed.
Lets beging with, What is an SQL Injection? In simple terms SQL Injection is an input given to any PHP application through forms or links, which manages to manipulate the SQL statement in the original code and generates an undesirable output. SQL Injections are generally used to get unauthorised access to the database. Even if the attacker is not possible to retrieve any content, there are chances of corrupting the database and the file system. In order to stop such attacks it is very much necessary to understand these attacks.
So here is an example:
Here is my so very trust worthy code to facilitate my users to change their passwords.
This is the form to be filled by the user.
The above form will look something like this when you login as user 1:
Your User ID:1
Now here is what I write in the cpass.php that will do the real job of changing the database record for the user.
Suppose the users table looks like this.
What could probably go wrong here? Well to check, lets see a situation.
Lets say the user ‘badfred’ with id:2 logs in to change password and enters the text below in the password field.
hacked' WHERE id=1; -- //There is a space after -- which is very important
After this process, the user table will look like this. As the field input included SQL commands, the query below was run.
SET password='hacked' WHERE id=1; -- ' WHERE id=2;
and the text beyond — gets commented as it is a ‘comment tag’.
What we did here is, we injected a SQL string in an input field. This is popularly know as SQL Injections.
The above illustrations is one the most simplest form of SQL injections. A more hybrid attack would involve downloading the whole database or corrupting the database structure.
This is a misconception that PHP has this security glitch. Well, the program just did what you asked it to do. In order to prevent your applications from such attacks it is necessary to filter the inputs that are going to be used in any SQL statment. This can be done as follows.
mysql_real_escape_string(): This function will escape all the unnecessary characters present in a string to make it safe to use in a MySQL query.
addslashes(): Helps in adding slashes to characters that need to be commented before use in a SQL Statement.
Note: It is very much necessary to understand the above techniques in order to build a PHP application secure from SQL Injections. But this is not all it takes. There are other attack techniques that need to be dealt with. I repeat this over and over again, that it is the whole and sole responsibility of the programmer to prevent the application from taking any malicious input.
Happy Coding 🙂