New tutorials View all
Encapsulation in PHP
Abstract classes in PHP
An introduction to MySQL databases in PHP
Creating a user login and registration system.
First Lesson of HTML
New forum replies
Confused in The big and general IRC Bot...Jim in Php irc bot logwescooldude3 in Php irc bot logJim in AJAX + loadingJim in Php irc bot say namewescooldude3 in Php irc bot say nameRealShadow in AJAX + loading
New frontpage replies
tutorials: Creating an IRC bot in PHPtutorials: Creating an IRC bot in PHPtutorials: Creating an IRC bot in PHPtutorials: Creating an IRC bot in PHPtutorials: Creating an IRC bot in PHP
New articles
New news
PHP Security: SQL Injection (645 views)
This tutorial will explain SQL Injection. A very common security flaw not much people take serious because its a little bit harder for a cracker to hack.
Welcome to this new Combined Minds tutorial. This time I will help you with another type of security problem. One that's seen dozen times with code checks on forums.
This week I will teach you about SQL Injection. Again this is basics stuff, but just with the Get Include problem, this security flaw is also seen in scripts of experienced coders.
Lets explain SQL Injection OK?
SQL Injection is a form of XSS (Cross Side Scripting). The thought behind this, is users that are able to control your SQL server the way they want. A remedy for this problem is very simple, but first lets see a dangerous script.
Just a simple login script. You would think this would work right? Well this has quite a big problem. Think this is a admin login, so when logged in the user could delete everything he wants.
Ok lets take a look at the MySQL query when a user tries to login.
SELECT id FROM members WHERE username = 'Jim' AND password = 'myPassword' LIMIT 1
Now I try to login, no problem right?
Ok now think the user would write this as his password:
' OR username = 'Jim
In a Query this would look like this:
SELECT id FROM members WHERE username = 'ScriptKiddy' AND password = '' OR username = 'Jim' LIMIT 1
Now everyone is able to Login with my name!
There are many things you could do with this security flaw. This is just one easy but big problem.
The remedy
Well this is actually very simple. I will handle 2 options.
Using "mysql_real_escape_string()" on the login variables. This will add a slash to a dangerous quote. So when using this with our login system, the password variable would become:
\' OR username = \'Jim
By using the slashes, MySQL will not read the quotes. So your problem is easily fixed!
You use mysql_real_escape_string like this:
Ok, quite simple right?
The function addslashes() versus mysql_real_escape_string()
Some of you know might already know something about SQL Injection and how to prevent it. But using the function addslashes() is not all you need! This function has a flaw, it can't handle a specific kind of quote. You can read all about it here. So always use mysql_real_escape_string()!
Now the second option. "magic_quotes_gp" is a config option for PHP. This will add slashes always when there is user input. So when a user uses GET of POST the variables will always contain slashed quotes. This is quite a bit more easy right?
But be warned! Not every server has this on, so just to be sure always use the mysql_real_escape_string function!
This is the end of this weeks tutorial. I hope you've learned from this.
This week I will teach you about SQL Injection. Again this is basics stuff, but just with the Get Include problem, this security flaw is also seen in scripts of experienced coders.
Lets explain SQL Injection OK?
SQL Injection is a form of XSS (Cross Side Scripting). The thought behind this, is users that are able to control your SQL server the way they want. A remedy for this problem is very simple, but first lets see a dangerous script.
| php | |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
<?php // reading the post data from a form (login form) $login = $_POST['login']; $pass = $_POST['password']; // query to search login data $check = mysql_query("SELECT id FROM members WHERE username = '".$login."' AND password = '".$pass."' LIMIT 1") or die(mysql_error()); // count the number of found rows $count = mysql_num_rows($check); // if its zero, no login combination found if($count < 1){ echo'No valid login data!'; } else { // login combination found! $data = mysql_fetch_assoc($check); $_SESSION['loggedin'] = $data['id'] echo'Logged in successfully.'; } ?> |
Just a simple login script. You would think this would work right? Well this has quite a big problem. Think this is a admin login, so when logged in the user could delete everything he wants.
Ok lets take a look at the MySQL query when a user tries to login.
SELECT id FROM members WHERE username = 'Jim' AND password = 'myPassword' LIMIT 1
Now I try to login, no problem right?
Ok now think the user would write this as his password:
' OR username = 'Jim
In a Query this would look like this:
SELECT id FROM members WHERE username = 'ScriptKiddy' AND password = '' OR username = 'Jim' LIMIT 1
Now everyone is able to Login with my name!
There are many things you could do with this security flaw. This is just one easy but big problem.
The remedy
Well this is actually very simple. I will handle 2 options.
Using "mysql_real_escape_string()" on the login variables. This will add a slash to a dangerous quote. So when using this with our login system, the password variable would become:
\' OR username = \'Jim
By using the slashes, MySQL will not read the quotes. So your problem is easily fixed!
You use mysql_real_escape_string like this:
| php | |
|
1 2 3 4 5 6 |
<?php // user $user = mysql_real_escape_string($_POST['login']); $pass = mysql_real_escape_string($_POST['login']); ?> |
Ok, quite simple right?
The function addslashes() versus mysql_real_escape_string()
Some of you know might already know something about SQL Injection and how to prevent it. But using the function addslashes() is not all you need! This function has a flaw, it can't handle a specific kind of quote. You can read all about it here. So always use mysql_real_escape_string()!
Now the second option. "magic_quotes_gp" is a config option for PHP. This will add slashes always when there is user input. So when a user uses GET of POST the variables will always contain slashed quotes. This is quite a bit more easy right?
But be warned! Not every server has this on, so just to be sure always use the mysql_real_escape_string function!
This is the end of this weeks tutorial. I hope you've learned from this.
Replies on PHP Security: SQL Injection:
Jump to comment page: 1
Jump to comment page: 1
You are not logged in. Please login or register an account, it just takes 30 seconds.
Hello...
First of all I would like to say congratulations for the tutorial. Four years or so have passed since the first sql injection attack (at packetstorm, if I remember correctly) and there are still many websites vulnerable...
Anyway. I would like to make an addition at the things you said. Many times, SQL injections can be done, without the use of a single quote. If for example, you have a query
Select name,surname,address from customers where id={$_POST['id']} , and the user enters something like this:
88; drop table customers
He has successfully deleted your customers table. So, as an extra step of precaution, I would advice everybody, to check their input for quote, colons, semicolons and other illegal characters, and if possible, drop the action, requested from the user.
Take care
God bless
timepasser