SQL injection is becoming a problem for web developers- especially those new to the field who aren’t up to speed on how insecure PHP can really be. But as the experts like to say, PHP isn’t the problem- it’s the knowledge of the programmer that counts when it comes to preventing SQL injection attacks.
An SQL injection attack is, simply put, a vulnerability in the SQL query that programmers unwittingly leave wide open. When a web developer calls an SQL query, he or she will commonly forget to escape quotes that the user might input. Users might input text such as “MyVariable’ OR 1=1–” ; this line will actually give the malicious user to your database!
PHP developers have used the magic quotes function to help safeguard against SQL injections. Magic quotes are no longer in use, however, since they were more of a hassle than anything. It is recommended that if a developer has used magic quotes, he or she should remove them since they are no longer supported as of PHP 6. Thus, we need to look elsewhere for a security solution.
Using the “mysql_real_escape_string()” function will enable web developers to escape quotes properly. And unlike magic quotes, this function will only escape quotes that we need. Keep in mind that when using this function, it may be necessary to use the “striplslashes()” function to counteract the slashes that are being outputted as a result.
Another good way to prevent SQL injections is to simply restrict authority in SQL users where possible. For instance: it would be a good idea to create individual users that do specific things: such as create a table or update rows in the said table. This can help make the task of ruining one’s hard work much harder for malicious web users, although it’s a lot more work for webmasters (Although well worth it).
A special word of advice for PHP developers: don’t buy into programs that claim they prevent SQL injections through their classes or web applications. While they may indeed do so, stopping an SQL injection is just as simple as using the previously mentioned function- no need to waste one’s money! Alternatively, SQL injection scanners can be used to help find holes.
Closing Comments
There isn’t much effort that needs to be exerted in order to declare a database safe from harm. All that is needed is a little prevention- which comes from avid usage of the function and design principles previously stated. It may also be a good idea to use SQL injection scanners on large web applications to cover holes that might not have been covered over the course of the development period.
Learn more about Prevent SQL Injection and MySQL Injection.