What is sql injection?
SQL injection is when sql statement that a programmer designed is hijacked to do other potentially bad things. Here is an example
$query = "select true from users where user='".$_POST['user']."'";
Why is this bad? (Hint what if a person submitted the following in the form field)
$_POST['user']="whatever;select true";
How can I prevent against sql injection?
there are a few ways:
use mysqli
use stored procedures and limit permissions for the account being used
use regular expressions
mysqli is a newer extension for accessing mysql in php. It is designed to be more secure than the previous mysql extension. The main point we are interested in for this post is the prepare and bind_param methods. As a good example is already available on the php site we will not show it here.
first we want to limit the permissions an account has to only being allowed to execute stored procedures. If the mysql stored procedure is done safely similar to how the mysqli extension handles it then we do not need to worry about sql injection.
regular expressions can be used to filter out items that we want to guard against. A common approach is to guard against the ';' as it is used to separate mysql commands. But event this does not protect against everything. The regular expression method is generally not favored as much as it is more difficult and error prone.
This post is brief but I intended to get add more to it later.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment