Blog

LEARNING SOME SQL INJECTION

SENIOR CHIEF EDITOR CHRISTOPHER  VERA

INSERT INTO subjects (menu_name, position, visible) VALUES (‘$menu_name}’, {$position}, {$visible})” $menu_name= “Today’s Widget Trivia”; INSERT INTO subjects (menu_name, position, visible) VALUES (‘today’s Widget Trivia ‘, 1, 1)” 

Where we’re going to now insert menu name and menu name is going to be a variable. Well what if our menu name is Today’s Widget Trivia? What if that’s the string that we want to drop in there? Insert into subjects, menu name position visible, the values Today’s Widget Trivia.Do you see the problem with that? Let me highlight it for you. We’re closing our single quotes without meaning to. The result of this is that MySQL thinks that the string that we’re sending is“today,” and that’s it, and we have broken the rest of it. Everything else after that will be seen as being garbage and we’ll get an error back.

IMAGE CREDIT HACKING & TRICKS

Now, this is an innocent example, but sometimes the values that come in are not ours, nor are they even from well-meaning admins of the site. URL strings, form data and cookies are often coming in from the public at large. And therefore they’re completely out of our control as developers. And not everyone who comes to our website has our best interests in mind. If we use those values exactly as they come in we could be in for a world of hurt.

// Please don’t try this… ever. $menu_name = ” ‘); DROP TABLE subjects; ‘ “;

Let me show you an example. Let’s say that we have menu name and it’s equal to that single quote at the beginning followed by some SQL that someone else would like us to run. Followed by another single quote at the end which they may have to modify it slightly so that it doesn’t raise an error and it actually does execute. But you can see the result here.They’re basically taking what was a simple insert statement and turning it into dropping our entire table of subjects. And they can do other things, too. They can actually have it export all of our users and their passwords, things like that, that we don’t want them to do. This process is called SQL injection. The user sends a carefully crafted URL string, or a form field value, and it injects their SQL into ours. SQL injection is the single easiest way for someone to hack your website and steal your data. Sql_injection is the single biggest problem that you need to be guarding against as a web developer.There are lots of things that you need to watch out for when you are developing for the web. And lots of security issues you should be concerned about. But sql_injection is the big one.Now if you stop and think about it. Breaking the syntax of SQL is similar to how we saw that we could break the syntax of a URL or HTML earlier on. And the solution, here, is going to be the same as it was for both of those. We need to escape the string. That is, to transform it so that any problem characters that are in it are rendered harmless. So, let’s learn how to do that. Let’s learn the ways in PHP that we can escape strings to make them safe for putting into queries that we’re going to send to SQL.

SOURCE LYNDA.COM

Rate This Article:
No comments

leave a comment