If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

SQL injection is becoming a problem for web developers- especially those new to the field who aren’t up to speed on how insecure PHP can really be. But as the experts like to say, PHP isn’t the problem- it’s the knowledge of the programmer that counts when it comes to preventing SQL injection attacks.

It’s rather frightening to think that a statement such as “b’ OR ‘b’='b’” can render one’s security useless. But this is indeed true, and is what we call an SQL injection. SQL injections have been the most popular way to “hack” a website in recent years. As long as the input can be validated before it is passed along to the SQL query, we can ensure that nothing bad will go wrong.

PHP developers have used the magic quotes function to help safeguard against SQL injections. Magic quotes are no longer in use, however, since they were more of a hassle than anything. It is recommended that if a developer has used magic quotes, he or she should remove them since they are no longer supported as of PHP 6. Thus, we need to look elsewhere for a security solution.

Using the “mysql_real_escape_string()” function will enable web developers to escape quotes properly. And unlike magic quotes, this function will only escape quotes that we need. Keep in mind that when using this function, it may be necessary to use the “striplslashes()” function to counteract the slashes that are being outputted as a result.

Another good way to prevent SQL injections is to simply restrict authority in SQL users where possible. For instance: it would be a good idea to create individual users that do specific things: such as create a table or update rows in the said table. This can help make the task of ruining one’s hard work much harder for malicious web users, although it’s a lot more work for webmasters (Although well worth it).

It should be noted that programs and web applications that stop SQL injections should not be obtained- since they commonly cost quite a bit of money. As long as webmasters take precautions with what they create, there should be no reason to spend hundreds of dollars on software that only makes use of escape characters and formatting data correctly. This type of application is created to con webmasters into buying something they don’t need- so dont fall victim to them!

Closing Comments

Security is a big topic among webmasters, who make no money and achieve no fame by getting attacked via an SQL injection. To keep profits running high, it is recommended that webmasters make use of the tips previously mentioned. It’s also good to brush up on more PHP security tips, as well as make use of SQL injection scanners that are available over the Internet.

Tags: Computer Security

Share This