SQL Injection :: What It Is, And How To Prevent It

This was originally posted by me at </dream.in.code>. (link)

SQL Injection is a form of hacking that has taken down innumerable amounts of websites, and it’s no comforting idea that your site could be next. In this tutorial, I will give you a brief synopsis of what SQL Injection really is, and how to protect your website from it. This tutorial assumes that you have a fairly good knowledge of PHP, you understand GET and POST methods, and you have used and at least partly understand SQL.

SQL Injection is usually done through areas where user input is added into a database, or where GET/POST values are parsed and added into a database. For example, this is a piece of code that will get a POST value and add it to the database:

mysql_query("INSERT INTO table VALUES('" . $_GET["value"] . "')");

Now let’s create the scenario. That code is located at http://example.com/update.php. If the page was visited with the GET values:

http://example.com/update.php?value=bwahaha

This would give us an SQL query like this:

INSERT INTO table VALUES('bwahaha')

That code is all fine and dandy, but what if someone visited the page like this:

http://example.com/update.php?value=blah&#8217;); DELETE FROM table WHERE value != 0; INSERT INTO table VALUES(‘HACKED!

This would make an SQL query:

INSERT INTO table VALUES('blah'); DELETE FROM table WHERE value != 0; INSERT INTO table VALUES('HACKED!')

That is one piece of malicious code. This would essentially delete all rows from the database, except for ones with a value of 0. Then, you would probably have one row which would let you know that you were hacked.Now you probably want to know how to protect your site(s) from this, right? It’s fairly simple, actually.We can use a function from a code snippet I published, called sql_sanitize.
function sql_sanitize( $sCode ) {
if ( function_exists( “mysql_real_escape_string” ) ) { // If PHP version > 4.3.0
$sCode = mysql_real_escape_string( $sCode ); // Escape the MySQL string.
} else { // If PHP version < 4.3.0 $sCode = addslashes( $sCode ); // Precede sensitive characters with a slash \ } return $sCode; // Return the sanitized code }[/sourcecode] Now let's put this into action. Remember the code we had earlier? Let's change that: [sourcecode lang='php']mysql_query("INSERT INTO table VALUES('" . sql_sanitize($_GET["value"]) . "')");[/sourcecode] This will "sanitize" the code and protect your database from people doing anything malicious to it.Well, there you go! I suggest you implement this method wherever you are putting user input into the database. Instead of using $_GET[“value”], for instance, just use sql_sanitize($_GET[“value”])! It really is that simple.

Did you find this article useful? Please leave a comment to let me know. Don’t worry, you don’t need to register for a simple comment.

Advertisements

17 Responses to “SQL Injection :: What It Is, And How To Prevent It”


  1. 1 Felix November 26, 2007 at 5:46 pm

    Your SQL syntax is wrong =P

    DELETE * FROM `table` WHERE …
    should be
    DELETE FROM `table` WHERE …

  2. 2 Root March 13, 2008 at 3:38 pm

    RE TO FELIX:
    [quote]DELETE FROM `table` WHERE …[/quote]<<<<BUT YOUR SQL SYNTAX IS INCORRECT!! LEARN SQL!!:))

    DELETE * FROM `table` WHERE …

    <<<<IT`S CORRECTLY

  3. 3 cakarayam February 13, 2011 at 9:39 pm

    Here i wrote about Simple Tips to Prevent SQL Injection too. I prefer using mysql_real_escape_string() instead of mysql_escape_string() and pass all query to sprintf() before execute the query.

  4. 4 Erika November 16, 2013 at 1:15 am

    Ur blog post, “SQL Injection :: What It Is, And
    How To Prevent It | Obsessed with the Press”
    ended up being definitely worth writing a comment down
    here in the comment section! Basically desired to point out you
    actually did a very good work. Thanks -Nolan

  5. 5 Tiredness causes February 28, 2014 at 5:45 pm

    I ran across your web by mistake but I am delighted I did so!
    Many thanks for the guidance.

  6. 6 Willie March 7, 2014 at 1:57 pm

    I am pleased that others remain to take the opportunity to come up with enjoyable topics.

  7. 7 garlic supplements health benefits March 11, 2014 at 9:11 pm

    I am grateful that people even now spend their moments to come up with purposeful articles.

  8. 8 daniellediehac.bravejournal.com March 14, 2014 at 12:39 pm

    I’ve been reading through your website for some time, but until now I decided
    to add at least a howdy there.

  9. 9 coelection March 29, 2014 at 2:13 am

    I would like to display some appreciation for your efforts to
    put together this informative web site.

  10. 10 trucos para adelgazar March 31, 2014 at 2:02 am

    I have been looking for this kind of material for a
    long time, but I was struggling to find a faithful reference until now.
    Thanks.

  11. 11 recomendaciones para bajar de peso April 1, 2014 at 1:42 am

    I signed to your feed; I will be looking ahead to read alot more content like this.

  12. 12 Adelgazar rapido en una semana April 7, 2014 at 12:31 am

    Examining this post assisted me to comprehend many points I
    was uninformed of!

  13. 13 http://get.adobe.com/flashplayer/ July 19, 2014 at 9:27 am

    I have been following your web site for a long time, but until
    recently I decided to submit at least a heya there.

  14. 14 Lucian May 24, 2016 at 6:26 am

    In my opinion this is an exceptional blog. Thanks.

  15. 17 dieta01.com August 30, 2017 at 12:22 pm

    Buenas

    Estuve leyendo tu artículo y hay muchas información que no sabía que me has aclarado, esta genial..

    te quería corresponder el periodo que dedicaste, con unas infinitas gracias, por preparar a gente como yo
    jojojo.

    Besos


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s





%d bloggers like this: