If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

The number one security topic present in applications that use PHP is the SQL injection. This is because PHP allows for web developers to make unfortunate mistakes when it comes to creating their SQL queries. But thankfully, fixing the problem is easy: all that is necessary is a few tips in security.

It’s rather frightening to think that a statement such as “b’ OR ‘b’='b’” can render one’s security useless. But this is indeed true, and is what we call an SQL injection. SQL injections have been the most popular way to “hack” a website in recent years. As long as the input can be validated before it is passed along to the SQL query, we can ensure that nothing bad will go wrong.

As long as we can escape the quote that needs to be used in the injection, we can prevent any type of harm that may come to a web application. The first way to accomplish this is to simply use magic quotes. It should be noted that magic quotes are no longer supported as of PHP 6, and shouldn’t be used. Instead, we leave SQL injection prevention up to a newer and more dependable command.

The common way to protect against an SQL injection attack is to simply use the mysql_real_escape_string() function that PHP has support for. When passing POST values through this function, the result becomes an escaped string that can’t be used to manipulate an SQL query- perfect for our situation.

Oddly enough, we can create a greater sense of security through creating more user accounts via our SQL program. We can assign different types of access to different users, which would make it quite hard for attackers to get full access to our database should they find a hole somewhere. Having a user for creating, deleting, and inserting data is a good idea to help split up responsibility.

A special word of advice for PHP developers: don’t buy into programs that claim they prevent SQL injections through their classes or web applications. While they may indeed do so, stopping an SQL injection is just as simple as using the previously mentioned function- no need to waste one’s money! Alternatively, SQL injection scanners can be used to help find holes.

Closing Comments

There isn’t much effort that needs to be exerted in order to declare a database safe from harm. All that is needed is a little prevention- which comes from avid usage of the function and design principles previously stated. It may also be a good idea to use SQL injection scanners on large web applications to cover holes that might not have been covered over the course of the development period.

Popularity: 47% [?]