Blog About Network

The number one security topic present in applications that use PHP is the SQL injection. This is because PHP allows for web developers to make unfortunate mistakes when it comes to creating their SQL queries. But thankfully, fixing the problem is easy: all that is necessary is a few tips in security.

An SQL injection attack is, simply put, a vulnerability in the SQL query that programmers unwittingly leave wide open. When a web developer calls an SQL query, he or she will commonly forget to escape quotes that the user might input. Users might input text such as “MyVariable’ OR 1=1–” ; this line will actually give the malicious user to your database!

PHP developers have used the magic quotes function to help safeguard against SQL injections. Magic quotes are no longer in use, however, since they were more of a hassle than anything. It is recommended that if a developer has used magic quotes, he or she should remove them since they are no longer supported as of PHP 6. Thus, we need to look elsewhere for a security solution.

The common way to protect against an SQL injection attack is to simply use the mysql_real_escape_string() function that PHP has support for. When passing POST values through this function, the result becomes an escaped string that can’t be used to manipulate an SQL query- perfect for our situation.

Oddly enough, we can create a greater sense of security through creating more user accounts via our SQL program. We can assign different types of access to different users, which would make it quite hard for attackers to get full access to our database should they find a hole somewhere. Having a user for creating, deleting, and inserting data is a good idea to help split up responsibility.

It should be noted that programs and web applications that stop SQL injections should not be obtained- since they commonly cost quite a bit of money. As long as webmasters take precautions with what they create, there should be no reason to spend hundreds of dollars on software that only makes use of escape characters and formatting data correctly. This type of application is created to con webmasters into buying something they don’t need- so dont fall victim to them!

Closing Comments

SQL injections are never a pretty sight. They ruin databases, can be a security risk to users of the website, and they even can destroy entire websites. Thus, it’s good to either hire developers that know what they are doing or to brush up on some security topics by one’s self. Doing so can save a world of hurt for a webmaster, as well as quite a bit of money from not having to buy mock applications that claim to do the “hard work” for webmasters. In the end, it’s recommended developers pick up a good book or visit their favorite PHP security websites to stay informed.

Tags: Computers and Technology