Sql Injection

SQL Injection

3

S

QL injection is yet another common vulnerability that is the result of lax input validation. Unlike cross-site scripting vulnerabilities that are ultimately directed at your site’s visitors, SQL injection is an attack on the site itself—in particular its database. The goal of SQL injection is to insert arbitrary data, most often a database query, into a string that’s eventually executed by the database. The insidious query may attempt any number of actions, from retrieving alternate data, to modifying or removing information from the database. To demonstrate the problem, consider this excerpt:

// supposed input $name = “ilia’; DELETE FROM users;”; mysql_query(“SELECT * FROM users WHERE name=’{$name}’”);

74

SQL Injection

The function call is supposed to retrieve a record from the users table where the name column matches the name specified by the user. Under normal circumstances, $name would only contain alphanumeric characters and perhaps spaces, such as the string ilia. But here, by appending an entirely new query to $name, the call to the database turns into disaster: the injected DELETE query removes all records from users.



MySQL Exception

Fortunately, if you use MySQL, the mysql_query() function does not permit query stacking, or executing multiple queries in a single function call. If you try to stack queries, the call fails. However, other PHP database extensions, such as SQLite and PostgreSQL, happily perform stacked queries, executing all of the queries provided in one string and creating a serious security problem.

Magic Quotes

Given the potential harm that can be caused by SQL injection, PHP’s automatic input escape mechanism, magic_quotes_gpc, provides some rudimentary protection. If enabled, magic_ quotes_gpc, or “magic quotes”, adds a backslash in front of single-quotes, double-quotes, and other characters that could be used to break out of a value identifier. But, magic quotes is a generic solution...