 |  |  |  |  |  |  |  |
What you (yes, you too) need to know about sql injection
Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases
 |
In reading and posting on this forum, I see a lot of code here that doesn't consider sql injection.
SQL injection is an attack where the attacker terminates or modifies an sql query with input data.
Here are some samples:
http://en.wikipedia.org/wiki/SQL_injection
http://www.unixwiz.net/techtips/sql-injection.html
http://www.securiteam.com/securityre...DP0N1P76E.html
In Michael Howard's blog, he wrote up a very nice primer on this type of attack and why it's important to secure yourself against it.
Forget that this guy works for Microsoft, and this is a php forum, because all the same stuff applies to us.
I've wanted to write this up for just about every post I've seen here... There's a scary disregard for input filtering among most of these posts.
http://blogs.msdn.com/sdl/archive/20...-deserves.aspx
Some things he doesn't mention, which also help, is:
1. Limit the size of your parameters
If you are expecting no more than 10 characters, then substr($var, 0,10) the variable. The larger the string you allow, the more space an attacker has to work with malicious queries.
If you are expecting a 1 digit integer, then substr($var,0,1) and test it with is_int().
2. Use php's string handling functions
php has a ton of variable, sql filtering and format validation functions, use them 8) htmlentities() is very powerful for handling issues etc before handing the var off to the validation and filtering routines.
SQL injection is very serious and can lead to everything from stolen data, to defaced sites, to your site users getting infected with malware (by modifying links to point at counterfeit sites with malicious active x controls or 0day flash exploits). As a developer, it's your responsibility to filter your user input. You can filter it client side for user convenience, but it *absolutely* must be filtered at the posting processor (server side script) no matter what.
Remember a user can completely bypass any javascript validation you are using with a local proxy (such as Paros or TamperData for firefox) and submit anything they want at your server.
Happy filtering!
-Viz
SQL injection is an attack where the attacker terminates or modifies an sql query with input data.
Here are some samples:
http://en.wikipedia.org/wiki/SQL_injection
http://www.unixwiz.net/techtips/sql-injection.html
http://www.securiteam.com/securityre...DP0N1P76E.html
In Michael Howard's blog, he wrote up a very nice primer on this type of attack and why it's important to secure yourself against it.
Forget that this guy works for Microsoft, and this is a php forum, because all the same stuff applies to us.
I've wanted to write this up for just about every post I've seen here... There's a scary disregard for input filtering among most of these posts.
http://blogs.msdn.com/sdl/archive/20...-deserves.aspx
Some things he doesn't mention, which also help, is:
1. Limit the size of your parameters
If you are expecting no more than 10 characters, then substr($var, 0,10) the variable. The larger the string you allow, the more space an attacker has to work with malicious queries.
If you are expecting a 1 digit integer, then substr($var,0,1) and test it with is_int().
2. Use php's string handling functions
php has a ton of variable, sql filtering and format validation functions, use them 8) htmlentities() is very powerful for handling issues etc before handing the var off to the validation and filtering routines.
SQL injection is very serious and can lead to everything from stolen data, to defaced sites, to your site users getting infected with malware (by modifying links to point at counterfeit sites with malicious active x controls or 0day flash exploits). As a developer, it's your responsibility to filter your user input. You can filter it client side for user convenience, but it *absolutely* must be filtered at the posting processor (server side script) no matter what.
Remember a user can completely bypass any javascript validation you are using with a local proxy (such as Paros or TamperData for firefox) and submit anything they want at your server.
Happy filtering!
-Viz
I completely agree - proper escaping is important to SQL as much as PHP. Timely post, especially as reports of SQL injections are cropping up all over the place.
**************
Nico del Castillo
Microsoft Security Outreach Team
<URL SNIPPED>
**************
Nico del Castillo
Microsoft Security Outreach Team
<URL SNIPPED>
Last edited by peter_budo; Jun 4th, 2008 at 4:56 am. Reason: Keep It Spam-Free - Do not spam, advertise, plug your website, or engage in any other type of self promotion.
|
Similar Threads
- SQL Injection Attack (Database Design)
- Data Safe - SQL Injection (PHP)
- SQL Injection Attacks (Database Design)
- Sql injection (MS SQL)
- SQl Injection through ASP and MS SQl 2000 (ASP)
- Sql Injuction (Viruses, Spyware and other Nasties)
- Working with SQL's Text data type (ASP.NET)
Other Threads in the PHP Forum
- Previous Thread: CSV file uploading into a MySQL Database?
- Next Thread: Save string data to integer
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest PHP Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
.htaccess ajax apache api array back basic beginner binary broken cakephp checkbox class cms code computing cron curl customizableitems database date delete display dynamic echo email error file files filter folder form forms function functions gc_maxlifetime google host href htaccess html image include insert integration ip java javascript joomla limit link login loop mail memmory memory menu mlm mod_rewrite multiple mysql navigation oop parsing paypal pdf php problem query radio random recursion regex remote script search server sessions sms snippet soap source space sql syntax system table thesishelp trouble tutorial update upload url validation validator variable video web xml youtube
