Preventing SQL Injection
~example of SQL injection
•
$user = $_POST[‘user’];
$pass = $_POST[‘pass’];
$query = DELETE FROM Users
WHERE user = ‘$user’ AND
pass = ‘$pass’;
•
Someone enters anything’ or 1=1#
•
$user = $_POST[‘user’];
$pass = $_POST[‘pass’];
$query = DELETE FROM Users
WHERE user = ‘anything’
OR 1=1#’ AND pass = ‘ ’;
•
the results you lose everything in your
database
~ how to prevent injection
•
<?php
$user = mysql_fix_string($_POST[‘user’]);
$pass = mysql_fix_string($_POST[‘pass’]);
$query = “SELECT * FROM Users
WHERE user = ‘$user’ AND
pass = ‘$pass’;
function mysql_fix_string($string)
{
if (get_magic_quotes_gpc()) __
__$string = stripslashes(‘$string’);
return mysql_real_escape_string($string);
}
?>
•
this function will remove any magic quotes
added to a user in-putted string and then
properly sanitize it for you
–
magic quotes are a built-in feature in php which
automatically escape any characters such as a single and
double quotes by prefacing them with a backslash (\)
Using Placeholders
•
•
•
•
Idea is to predefine a query
using ? Characters where
the data appears
Then instead of calling a
MySQL query directly, you
call the predefined one
This ensures that every item
of data entered is inserted
directly into the database
and cannot be interpreted
as SQL queries.\
Once you have prepared a
statement you can use it as
often as you wish until you
deallocate it.
~using placeholders with PHP
•
<?php
require ‘login.php’;
$db_server = mysql_connect($hostname, $username, $password);
if ( !@db_server) die (“Unable to Connect to MYSQL” . Mysql_error());
mysql_select_db($database)
or die(“Unable to select database” . Mysql_error());
$query = ‘PREPARE statement FROM “INSERT INTO classics
VALUES (?,?,?,?,?)” ’;
mysql_query($query);
$query = ‘SET @author = “Emily Bronte”,’ .
‘@title = “Wuthering Height”,’ .
‘@category = “Classic Fiction”, ‘.
‘@year = “1847” ,‘.
‘@isbn = “9848483930202”,’ ;
mysql_query($query);
$query = ‘EXECUTE statement USING @author,@title,@category,@year,@isbn’;
mysql_query($query);
$query = ‘DEALLOCATE PREPARE statement’;
mysql_query($query);
?>
Preventing HTML Injection
•
•
•
occurs when you allow HTML to be
input by a user and then displayed back
by your website
one of the most common threat in
HTML injection is that a malicious user
will write the code that steals cookies
from your site’s users
prevent this by simply calling the
htmlentities function, which strips out
all HTML markup codes and replaces
with a form that displays the characters
not allowing a browser to act on them.
~ example for preventing both SQL
and XSS injections
•
<?php
$user = mysql_entities_fix_string($_POST[‘user’])
$pass = mysql_entities_fix_string($_POST[‘pass’])
$query = “SELECT FROM users
WHERE user=‘$user’ And pass=‘pass’”;
function mysql_entities_fix_string($string)
{
return htmlentities(mysql_fix_string($string));
}
function mysql_fix_string($string)
{
if (get_magic_quotes_gpc()) string=stripslashes($string);
return mysql_real_escape_string($string);
}
?>