One of the full prevention of SQL injection attacks in PHP (1)

I. Introduction

PHP is a powerful but easy-to-learn server-side scripting language. Even a few experienced programmers can use it to create complex dynamic web sites. However, it often has many difficulties in realizing the secrets and security of Internet services. In this series of articles, we will introduce you to the security background necessary for web development and the specific knowledge and code of PHP-you can protect the security and consistency of your own web applications. First, let's briefly review the server security question-show you how to access the private information in a shared host environment, so that developers can leave the production server and maintain the latest software, provides encrypted channels and controls access to your system.

Then, we will discuss the common vulnerabilities in PHP script implementation. We will explain how to protect your scripts from SQL injection, prevent cross-site scripting and remote execution, and prevent "hijacking" of temporary files and sessions ".

In the last article, we will implement a secure Web application. You will learn how to authenticate user identities, authorize and track application usage, avoid data loss, securely execute high-risk system commands, and securely use web services. Whether you have sufficient PHP security development experience or not, this series of articles will provide a wealth of information to help you build more secure online applications.

Ii. What is SQL Injection

If you plan to never use some data, it is meaningless to store them in a database, because the database is designed to facilitate the access and operation of data in the database. However, simply doing so may lead to potential disasters. This is not mainly because you may accidentally delete everything in the database, but because when you try to complete an "innocent" task, you may be "hijacked" by some people-using their own destructive data to replace your own data. We call this replacement "injection ".

In fact, every time you ask the user to input and construct a database query, you are allowing the user to participate in building a command to access the database server. A friendly user may be satisfied with the operation. However, a malicious user will try to find a way to distort the command, as a result, the distorted command deletes data and even makes more dangerous tasks. As a programmer, your task is to find a way to avoid such malicious attacks.

Iii. How SQL Injection works

Constructing a database query is a very direct process. Typically, it follows the following steps. To illustrate the problem, we will assume that you have a wine database table "wines" with a field "variety" (that is, the wine type ):

1. Provide a form that allows users to submit certain content to be searched. Let's assume that you select a wine with the search type "lagrein.

2. Retrieve the user's search term and save it-by assigning it to a variable as follows:

$ Variety = $ _ POST ['variety'];

Therefore, the value of $ variety is:

Lagrein

3. Then, use this variable to construct a database query in the WHERE clause:

$ Query = "SELECT * FROM wines WHERE variety = '$ variety '";

Therefore, the value of the variable $ query is as follows:

SELECT * FROM wines WHERE variety = 'lagrein'

4. Submit the query to the MySQL server.

5. MySQL returns all records in the wines table-where the value of the variety field is "lagrein ".

So far, this should be a very easy process that you are familiar. Unfortunately, sometimes the process we are familiar with and comfortable with can easily lead to complacency. Now, let's analyze the query we just created.

1. The fixed part of the query you created ends with a single quotation mark. You will use it to describe the start of the variable value:

$ Query = "SELECT * FROM wines WHERE variety = '";

2. Use the original fixed part and the value that contains the variable submitted by the user:

$ Query. = $ variety;

3. Then, you use another single quotation mark to connect this result-the end of the variable value:

$ Query. = "'";

Therefore, the value of $ query is as follows:

SELECT * FROM wines WHERE variety = 'lagrein'

The successful construction depends on the user input. In this example, you are using a single word (or a group of words) to indicate a type of wine. Therefore, there is no problem in the construction of this query, and the result will also be what you expect-a wine list with a wine type of "lagrein. Now, let us imagine that since your user does not enter a simple type of "lagrein" Wine type, but enters the following content (note that two punctuation marks are included ):

Lagrein 'or 1 = 1;

Now, you continue to use the fixed section above to construct your query (here, we only display the result value of the $ query variable ):

SELECT * FROM wines WHERE variety ='

Then, you connect to the value of the variable containing the user input (shown in bold here ):

SELECT * FROM wines WHERE variety = 'lagrein' or 1 = 1;

Finally, add the following quotation marks:

SELECT * FROM wines WHERE variety = 'lagrein' or 1 = 1 ;'

 

1