SQL injection, insertion – Security Tips
- Category : Website Security
- Posted on : Apr 12, 2011
- Views : 2,762
- By : Icarus M.
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literalescape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.
SQL injection is an attack where malicious code is passed to an SQL Server for execution. The attack can result in unauthorized access to confidential data, or destruction of critical data.
Before you try to read the methods below, realize that this should only be a concern for PHP developers and the like. If you are using a database driven program (e.g. WordPress, Joomla, OSCommerce), then all you need to do is upgrade your programs to the latest version available.
METHODS TO PREVENT SQL INJECTION
Escaping
One way to prevent injections is to escape dangerous characters (i.e. backslash, apostrophe and semicolon). In PHP, it is typical to escape the input using the function mysql_real_escape_string before sending the SQL query. Example:
$Uname = mysql_real_escape_string($Uname);
$Pword = mysql_real_escape_string($Pword);
$query = "SELECT * FROM Users where UserName='$Uname' and Password='$Pword'";
mysql_query($query);
$Pword = mysql_real_escape_string($Pword);
$query = "SELECT * FROM Users where UserName='$Uname' and Password='$Pword'";
mysql_query($query);
Parameterized statements
A parametrized query uses placeholders for the input, and the parameter values are supplied at execution time.
$params = array($Uname, $Pword);
$sql = 'INSERT INTO Users (UserName, Password) VALUES (?, ?)';
$query = sqlsrv_query($connection, $sql, $params);
$sql = 'INSERT INTO Users (UserName, Password) VALUES (?, ?)';
$query = sqlsrv_query($connection, $sql, $params);
Advanced: In PHP version 5 and above, there are multiple choices for using parameterized statements; the PDO database layer is one of them. There are also vendor-specific methods; for example, MySQL 4.1 + used with the mysqli extension.
Categories
- cPanel Question 47
- cPanel Software Management 29
- cPanel Tutorials 13
- Development 29
- Domain 13
- General 19
- Linux Helpline (Easy Guide) 156
- Marketing 47
- MySQL Question 13
- News 2
- PHP Configuration 14
- SEO 42
- SEO 4
- Server Administration 84
- SSL Installation 54
- Tips and Tricks 24
- VPS 3
- Web Hosting 44
- Website Security 22
- WHM questions 13
- WordPress 148
Subscribe Now
10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!Archive Calendar
| Sat | Sun | Mon | Tue | Wed | Thu | Fri |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | |||
Recent Articles
-
Posted on : Sep 17
-
Posted on : Sep 10
-
Posted on : Aug 04
-
Posted on : Apr 01
Tags
- ts
- myisam
- vpn
- sql
- process
- kill
- tweak
- server load
- attack
- ddos mitigation
- Knowledge
- layer 7
- ddos
- webmail
- DMARC
- Development
- nginx
- seo vpn
- Hosting Security
- wireguard
- innodb
- exim
- smtp relay
- smtp
- VPS Hosting
- cpulimit
- Plesk
- Comparison
- cpu
- encryption
- WHM
- xampp
- sysstat
- optimize
- cheap vpn
- php-fpm
- mariadb
- apache
- Small Business
- Error
- Networking
- VPS
- SSD Hosting
- Link Building
- centos
- DNS
- optimization
- ubuntu
