How To Prevent Disastrous SQL Injection Attacks

Posted on July 16, 2008
Filed Under Computers and Technology |

One of the biggest flaws in the PHP language is the fact that it allows for web developers to make very big mistakes in regards to security. One example of this is through SQL injections- an exploit that malicious users take advantage of when web developers don’t accurately safeguard their application.

It’s rather frightening to think that a statement such as “b’ OR ‘b’='b’” can render one’s security useless. But this is indeed true, and is what we call an SQL injection. SQL injections have been the most popular way to “hack” a website in recent years. As long as the input can be validated before it is passed along to the SQL query, we can ensure that nothing bad will go wrong.

Magic quotes have long helped web developers secure their SQL query statements. But as it stands today, this function is depreciated and no longer in use. Magic quotes have received a bad reputation since they do escape quotes- but they do so on the entire input, and not necessarily just a certain field we need to escape. Magic quotes are a hassle, and can even lead to performance issues. Thus, developers tend to ignore them.

Using the “mysql_real_escape_string()” function will enable web developers to escape quotes properly. And unlike magic quotes, this function will only escape quotes that we need. Keep in mind that when using this function, it may be necessary to use the “striplslashes()” function to counteract the slashes that are being outputted as a result.

Another good way to prevent SQL injections is to simply restrict authority in SQL users where possible. For instance: it would be a good idea to create individual users that do specific things: such as create a table or update rows in the said table. This can help make the task of ruining one’s hard work much harder for malicious web users, although it’s a lot more work for webmasters (Although well worth it).

A special word of advice for PHP developers: don’t buy into programs that claim they prevent SQL injections through their classes or web applications. While they may indeed do so, stopping an SQL injection is just as simple as using the previously mentioned function- no need to waste one’s money! Alternatively, SQL injection scanners can be used to help find holes.

Closing Comments

SQL injections are never a pretty sight. They ruin databases, can be a security risk to users of the website, and they even can destroy entire websites. Thus, it’s good to either hire developers that know what they are doing or to brush up on some security topics by one’s self. Doing so can save a world of hurt for a webmaster, as well as quite a bit of money from not having to buy mock applications that claim to do the “hard work” for webmasters. In the end, it’s recommended developers pick up a good book or visit their favorite PHP security websites to stay informed.

Comments

• Categories

  • Camcorders (1)
  • Computers (136)
  • Computers and Technology (445)
  • Consumer Electronics (13)
  • Digital Cameras (23)
  • DVD (15)
  • Electronics (29)
  • Home Appliances (8)
  • Home Security (23)
  • Home Theater (2)
  • Mp3 (39)
  • Technology (91)
  • Wireless Internet (1)
  • Writing (1)

• Archives

  Select Month August 2008 July 2008 June 2008 May 2008 April 2008

• Recent Posts

  • FREE Video Lessons can help you learn about Excel
  • Solar Lights Add Detail to Landscapes
  • How To Find Free Internet Psychics
  • Review of Omega OM-510 Prestigio Massage Chair Recliner
  • Yet Another Article About E-mail Courses?
  • Why You Need Registry Repair Software
  • The Great Behringer EP1500
  • Downloadable iPod Games - Download Games To iPod