Some tips to stay safe from SQL injections

Have you ever head of SQL injection? What is it?

Well, SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn’t properly filter out dangerous characters. This can allow an attacker to not only steal data from your database, but also modify and delete it.

Let’s have a look on the follwing SQL request used to verify if the couple username / password exists :

select count(*) from users where userName='christophe' and userPass='friendship'

Now let’s have a look at the HTM form and the PHP script responsible for authentification

HTML

<form name="frmLogin" action="login.php" method="post">
Username: <input type="text" name="userName">
Password: <input type="text" name="password">
<input type="submit">
</form>

PHP

<?php

/*###### CONNECTION STRING NOT SHOWN #####*/


$userName = $_POST[’userName’];

$password = $_POST['password'];

$query = "select count(*) as numrows from users where userName='$userName' and userPass='$password'" ;

$result = mysql_query($query);

$assoc = mysql_fetch_assoc($result);

if ($assoc[’numrows’] > 0)
echo “Logged In”;

else
echo "Bad Credentials" ;
end if
?>

When the form is submitted, the php script gather the informations, and compare it in the database.

Most unexperienced developers would a likely method of authentication….

Now, considering the SQL request, some may say that’s there’s nothing insecure or dangerous about this query… but is there? Maybe not at first glance, but what about if I entered a username of christophe and a password of ‘ or 1=1 –

The query would now look like : select count(*) as numrows from users where userName='christophe' and userPass=''
or 1=1 --'

What happens here is that the query hecks for an empty password, or the conditional equation of 1=1. If the password field is empty OR 1 equals 1 (which it does), then a valid row has been found in the users table. he last quote is commented out with a single-line comment delimiter (–).

So, with it php script created above, a hacker could easily log in.

There are other methods of SQL injections and screens to bypass login screens. I could list most of them if I wanted, but it’s not the goal of this post…

Now, to overcome such situations, a developer shoud use functions in order to prohibit / control the usage of escape characters.

I came across a script that process your query. Then you can safety execute them.

Find the script http://www.phpinsider.com/php/code/SafeSQL/

Hope you enjoyed it…looking forward for your comments and questions ;)

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Wists
  • MisterWong
  • DZone
  • Technorati
  • YahooMyWeb

About this entry

You’re currently reading “Some tips to stay safe from SQL injections,” an entry on Discount Web Design

Published:
02.29.08 / 2pm
Category:
php tips, php