The intent of MySQL injection is to take over the site database and steal information. Common Open-source databases, such as MySQL, have been used by many Web developers to store important information, such as passwords, personal information, and management information.
MySQL is popular because it works with PHP, the most popular server-side scripting language. Also, PHP is the main language of the Linux-apache server that dominates the Internet. Therefore, this means that hackers can easily use PHP just like Windows spyware.
Hackers enter a large number of malicious code into an unsecured Web form (through a drop-down menu, search box, contact form, query form, and check box).
Malicious code will be sent to the MySQL database and then "injected". To see this process, first consider the following basic MySQL select query statements:
SELECT * from Xmen WHERE username = ' Wolverine '
This query requests a database with a "xmen" table to return data with the user name "Wolverine" in MySQL.
In a Web form, the user will enter Wolverine, and the data will be uploaded to the MySQL query.
If the input is invalid, there are other ways for the hacker to control the database, such as setting the user name:
' OR ' = '
You may think that using normal PHP and MySQL syntax to execute input is safe, because whenever someone enters malicious code, they will get a "invalid query" message, but that is not the case. Hackers are smart, and because they involve database cleanup and resetting administrative rights, any security vulnerability is not easy to correct.
Two common misconceptions about MySQL injection attacks are as follows:
1. Network management believes that malicious injection can be used for anti-virus software or anti-spyware software cleanup. The fact is that this type of infection exploits the weaknesses of the MySQL database. It cannot be simply removed by any anti-spyware or antivirus program.
2. mysql injection is caused by copying files that are infected from another server or from an external source. That is not the case. This type of infection is caused by someone who enters malicious code into the Web site's unprotected form and then accesses the database. MySQL injection can be eliminated by removing malicious script instead of using an antivirus program.
User Input verification process
Back up a clean database and place it outside the server. Output a set of MySQL tables and save them on the desktop.
Then go to the server, and temporarily close the form input. This means that the form cannot process data and the site is closed.
Then start the cleanup process. First, on your server, clean up the legacy of the messy MySQL injection. Change passwords for all databases, FTP, and Web sites.
In the worst case, if you clean up late, you can check the hidden programs running on your server again. These hidden programs are trojan mounted by hackers. Remove it completely and change all FTP permissions. Scan all Trojans and malware on the server.
When you modify a PHP script, the form data is processed. A good way to prevent MySQL injection is to not trust even user data. User input validation is very important to prevent MySQL injection.
To design a filter to filter out user input, here are a few tips:
1. A number is entered into the form. You can test it to be equal to or greater than 0.001 (assuming you don't accept a 0) to verify that it is not a number.
2. If it is an email address. Verify that it is composed of allowed character combinations, such as "@", a-z,a-z or some numbers.
3. If it is a person's name or username. It can be validated by including any illegal characters, such as and and *, and is a malicious character that can be used for SQL injection.
Validating Digital input
The following script verifies whether to enter a valid number from 0.001 to infinity. It is worth mentioning that in a PHP program, you can even allow the use of a certain range of numbers. Use this validation script to ensure that only a single number is entered into the form.
Suppose you have three numeric variables in your program; you need to validate them, and we'll name them NUM1, num2 and num3:
Copy Code code as follows:
Validate Numerical input
if ($_post[' num1 '] >= 0.001 && $_post[' num2 '] >= 0.001 && $_post[' num3 '] >= 0.001)
{
}
Else
{
}
?>
and conditions can be extended to accommodate more than three digits. So, if you have 10, you'll just need to extend the and statement.
This can be used to validate a form that accepts only numbers, such as the number of contracts, license numbers, telephone numbers, and so on.
Verify input for text and mail addresses
The following can be used to validate form input such as user name, name, and e-mail address:
Copy Code code as follows:
Validate text input
if (! Preg_match ('/^[-a-z.-@, ' s]*$/i ', $_post[' name '))
{
}
Else
if ($empty ==0)
{
}
Else
{
}
?>
One advantage of this validation script is that it does not accept blank input. Some malicious users also manipulate the database through blank input. Using the above script, verify only one literal variable, "$name". This means that if you have three literal variables, you can set up a validation script for each variable individually to ensure that each variable passes the review before entering the database.