Wednesday, July 25, 2007

SQL Injection Attacks Linger

To experienced Web developers, it's a cardinal sin: passing user input into a database query without first processing it to escaped special characters is bad! But as a beginner-friendly language, PHP is host to this mistake more often than most. If you don't understand SQL injection attacks, read this!

The danger is easy to explain. Your site's security relies on a database query that includes one or more values taken from user input (e.g. login credentials). But, because you neglected to encode special characters in those values, an attacker is able to bypass your site's security by entering carefully-chosen values that alter the meaning of the query.

PHP's magic quotes feature is designed to save inexperienced coders from themselves. Values in the $_GET, $_POST, $_COOKIE, and $_REQUEST arrays have backslashes added to them so that they are safe for use in database queries. But magic quotes isn't enabled on all servers, and not all user input comes through the $_GET, $_POST, $_COOKIE, and $_REQUEST arrays, which magic quotes protects.

SitePoint's PHP columnist Harry Fuecks spotted one such mistake in a popular PHP magazine in the UK recently, showing that even supposed experts can get this wrong now and then!

SitePoint has a couple of articles that cover SQL injection attacks and ways to avoid them. SQL Injection Attacks - Are You Safe? discusses such attacks in ASP code, while Chapter 3 of The PHP Anthology (which is available free for you to read online) covers the subject in PHP.

SitePoint Tech Times

No comments: