PHP programs that prevent MySQL injection or HTML form abuse

Source: Internet
Author: User
Tags mysql injection contact form
It is reported that, if the form is not guaranteed, malicious code injection in the form of MySQL will attack the website. The following HTML form is used to pull menus. The search box and check box are easy entry points for this type of intrusion. This article explains the attack and how to prevent it. Known security issues and background. The intention of MySQL injection is to take over the website database and steal information. Common open-source databases, such as MySQL, have been used by many website developers to store important information, such as passwords, personal information and management information.
MySQL is popular because it is used with the most popular server-side scripting language PHP. Moreover, PHP is the main language of the Internet-dominated Linux-Apache server. Therefore, this means that hackers can easily use PHP like Windows spyware.
Hackers enter a large amount of malicious code into an unsecured webpage form (through the drop-down menu, search box, contact form, query form and check box ).
Malicious code will be sent to the MySQL database and then "injected ". To view this process, consider the following basic MySQL SELECT query statements:
SELECT * FROM xmen WHERE username = 'Wolverine'
This query requests the database of the "xmen" table to return data with the username "wolverine" in MySQL.
In a Web form, the user enters wolverine and the data is then transmitted to MySQL for query.
If the input is invalid, the hacker has other methods to control the database, such as setting the user name:
OR ''=''
You may think that normal PHP and MySQL syntax execution input is safe, because whenever someone inputs malicious code, they will get an "invalid query" message, but this is not the case. Hackers are smart, and any security vulnerability cannot be easily corrected because it involves database clearance and resetting management permissions.
The following are two common misunderstandings about MySQL injection attacks:
1. the network administrator deems that malicious injection can be used to clean up anti-virus software or anti-spyware. The fact is that this type of infection exploits the weakness of the MySQL database. It cannot be simply deleted by any anti-spyware or anti-virus program.
2. MySQL injection is caused by copying files infected from another server or external sources. This is not the case. This type of infection is caused by someone entering malicious code into the website unprotected form and then accessing the database. MySQL injection can be cleared by deleting malicious scripts instead of using anti-virus programs.
User input verification process
Back up a clean database and place it outside the server. Output a MySQL table and save it on the desktop.
Go to the server and temporarily close the form input. This means that the form cannot process data and the website is closed.
Then start the cleanup process. First, clean up the chaotic MySQL injection on your server. Change the passwords of all databases, FTP and websites.
In the worst case, if you are too late to clean up, you can check the hidden programs running on your server again. These hidden programs are Trojans installed by hackers. Delete it and change all FTP permissions. Scan all Trojans and malware on the server.
When you modify the PHP script program, the form data is processed. A good way to prevent MySQL injection is to trust user data. User input verification is very important to prevent MySQL injection.
Design a filter to filter user input. The following are some tips:
1. numbers are entered in the form. You can verify whether it is a number by testing whether it is equal to or greater than 0.001 (assuming you do not accept a zero.
2. if it is an Email address. Verify that it consists of allowed character combinations, such as @, A-Z, a-z, or some numbers.
3. for personal names or user names. You can verify whether it contains any illegal characters, such as and *. it is a malicious character that can be used for SQL injection.
Verify numeric input
The following script verifies whether to enter a valid number ranging from 0.001 to an infinite number. It is worth mentioning that in a PHP program, numbers within a certain range can even be used. Use this verification script to ensure that only a number is entered into the form.
Suppose there are three numeric variables in the program; you need to verify them, we will name them num1, num2 and num3:

The code is as follows:


// Validate numerical input
If ($ _ POST ['num1']> = 0.001 & $ _ POST ['num2']> = 0.001 & $ _ POST ['num3']> = 0.001)
{
}
Else
{
}
?>


The And condition can be extended to accommodate more than three numbers. Therefore, if you have 10, you only need to extend the AND statement.
This can be used to verify a form that only accepts numbers, such as the contract quantity, license number, and telephone number.
Verification text and email address input
The following form inputs can be used to verify user names, names, and email addresses:

The code is as follows:


// Validate text input
If (! Preg_match ('/^ [-a-z.-@,'s] * $/I', $ _ POST ['name'])
{
}
Else
If ($ empty = 0)
{
}
Else
{
}
?>


One advantage of this verification script is that it does not accept blank input. Some malicious users also use the blank space to manipulate the database. Use the above script to verify only one text variable, "$ name ". This means that if there are three literal variables, you can set a validation script for each variable separately to ensure that each variable passes the review before entering the database.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.