Knowledgebase: MySQL
SQL Injection or Insertion Attack
Posted by CTX Admin on 04 November 2014 05:06 PM

SQL injection is an attack where malicious code is passed to an SQL Server for execution. The attack can result in unauthorized access to confidential data, or destruction of critical data.

SQL injection attacks should only be a concern for PHP developers and the like. If you are using a database driven program like WordPress, Joomla or OSCommerce, then all you need to do is upgrade your programs to the latest version available.

Prevent SQL Injection

Escaping

One way to prevent injections is to escape dangerous characters like a backslash, apostrophe or semicolon. In PHP, it is typical to escape the input using the function 'mysql_real_escape_string' before sending the SQL query.

Example:

$Uname = mysql_real_escape_string($Uname);
$Pword = mysql_real_escape_string($Pword);
$query = "SELECT * FROM Users where UserName='$Uname' and Password='$Pword'";
mysql_query($query);

Parameterized Statements

A parameterized query uses placeholders for the input, and the parameter values are supplied at execution time.

$params = array($Uname, $Pword);
$sql = 'INSERT INTO Users (UserName, Password) VALUES (?, ?)';
$query = sqlsrv_query($connection, $sql, $params);

Advanced

In PHP version 5 and above, there are multiple choices for using parameterized statements; the PDO database layer is one of them. There are also vendor-specific methods; for example, MySQL 4.1 + used with the mysqli extension.

(0 vote(s))
This article was helpful
This article was not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
Help Desk Software by Kayako fusion