Member Avatar for rgviza

In reading and posting on this forum, I see a lot of code here that doesn't consider sql injection.

SQL injection is an attack where the attacker terminates or modifies an sql query with input data.
Here are some samples:
http://en.wikipedia.org/wiki/SQL_injection
http://www.unixwiz.net/techtips/sql-injection.html
http://www.securiteam.com/securityreviews/5DP0N1P76E.html

In Michael Howard's blog, he wrote up a very nice primer on this type of attack and why it's important to secure yourself against it.

Forget that this guy works for Microsoft, and this is a php forum, because all the same stuff applies to us.

I've wanted to write this up for just about every post I've seen here... There's a scary disregard for input filtering among most of these posts.

http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx

Some things he doesn't mention, which also help, is:
1. Limit the size of your parameters
If you are expecting no more than 10 characters, then substr($var, 0,10) the variable. The larger the string you allow, the more space an attacker has to work with malicious queries.
If you are expecting a 1 digit integer, then substr($var,0,1) and test it with is_int().
2. Use php's string handling functions
php has a ton of variable, sql filtering and format validation functions, use them 8) htmlentities() is very powerful for handling issues etc before handing the var off to the validation and filtering routines.

SQL injection is very serious and can lead to everything from stolen data, to defaced sites, to your site users getting infected with malware (by modifying links to point at counterfeit sites with malicious active x controls or 0day flash exploits). As a developer, it's your responsibility to filter your user input. You can filter it client side for user convenience, but it *absolutely* must be filtered at the posting processor (server side script) no matter what.

Remember a user can completely bypass any javascript validation you are using with a local proxy (such as Paros or TamperData for firefox) and submit anything they want at your server.

Happy filtering!
-Viz

  • 2 Contributors
  • 1 Reply
  • 89 Views
  • 3 Days Discussion Span
  • Latest Post Latest Post by NicoMS
darkagn commented: Some great advice there +1
Member Avatar for NicoMS

I completely agree - proper escaping is important to SQL as much as PHP. Timely post, especially as reports of SQL injections are cropping up all over the place.
**************
Nico del Castillo
Microsoft Security Outreach Team
<URL SNIPPED>

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.