Sql Injection: A basic introduction about sql injection:

Almost completed one year in PHP coding even though i was not aware of technically. I have used the word ‘technically’ because i knew what can be done to prevent sql injection but not yet implemented actually.

But today by luck i got some time and figure out what actually is sql injection.

The sql injection can be used for anonymous log in fetching the database table details.
it can select table data, insert and many more.

Here I m giving you whole idea that how sql injection can be used to anonymous login.
If you get it thoroughly then use it for preventing your code and not for damaging other’s database. 🙂

MAIN CAUSE:

1. SQL injection is possible beause mysql escape character ‘ (single quote).


here it is how its work
where you write select query see how this escape character ‘ (single quote) works magically.
$user = “user1”;
$pass = “pass1”;

$query = ‘select * from users where username=’$user’ and password=’$pass’;

echo $query;

//output: ‘select * from users where username=’user1’ and password=’pass1’;

The above query is simple sql query. where username and password parameters are enclosed by single quotes(i.e between ‘ and ‘).

Observe The Below parameters:

$user = “user1”;

$pass = “pass1’ OR 1=’1”;

$query = ‘select * from users where username=’$user’ and password=’$pass’;

echo $query;

//output: ‘select * from users where username=’user1’ and password=’pass1’ OR 1=’1’ ;

2. UNION : Mysql UNION functionality

Suppose your page test.php accepts parameter

e.g : test.php?id=2

so hackers can pass id value as

e.g :

test.php?id=-2 + union + SELECT * FROM Profiles WHERE ID=89                         or

tests.php?id=-2 + union + DROP TABLE Profiles

Preliminary steps to stop sql injection:1. Be specific to the coding especially for the page where your form action is going to react

e.g. check for your submit

<?php

if($_POST[‘reg_submit’]){
…// remaining code
}

?>

2. Be specific to use the form variables:
Be specific for the method and for getting the variable after the form is posted
if <form method=’post’> is used in the form
<?php
if($_POST[‘reg_submit’]){
// if method=’post’
$name = $_POST[‘name’];
$password = $_POST[‘password’];
}
?>
Similarly if you have used <form method=’get’> then use $_GET method.

note: Don’t use $_REQUEST, don’t be lazy. I am emphasizing this thing most

3. match exact count for row count where you are confirm for number if rows

e.g for login there can be only one row matching username and password
<?php
if($_POST[‘reg_submit’]){
// if method=’post’
$name = $_POST[‘name’];
$password = $_POST[‘password’];

$query = ‘select * from users where name=’$name’ &&   password=’$password’;

$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
if($num_rows==1){                                          // don’t use if($num_rows>0)
../ we are specific to count
}
}
?>
4. Typecast for integer values
For e.g:
test.php?id=2
get variable id value in other page as
$id = (int)$_GET[‘id’];

Now I am sure that your sql injection concept would be clear little bit.
you can google for
=> mysql_real_escape_string // works only when connection is open
=> addcslashes // to add slashes to escape sequence characters

Hope you would explore more… Keep Coding

God Bless Developers

Advertisements