Suggestions on preventing SQL injection vulnerability attacks on PHP code websites

Source: Internet
Author: User
Tags how to avoid sql injection how to prevent sql injection how to prevent sql injection attacks simple sql injection sql injection attack sql injection methods

All website administrators are concerned about website security issues. Speaking of security, you have to talk about SQL Injection attacks ). Hackers can gain access to the website database through SQL injection attacks, and then they can obtain all the data in the website database, malicious hackers can use SQL injection to tamper with the data in the database and even destroy the data in the database. As a web developer, you hate this kind of hacker behavior. Of course, you also need to understand the principles of SQL injection and learn how to protect your website database through code. Today, I will use PHP and MySQL databases as examples to share my understanding of SQL injection attacks, some simple preventive measures, and some suggestions on how to avoid SQL injection attacks.

What is SQL Injection )?

To put it simply, SQL Injection uses code vulnerabilities to obtain data from SQL databases in the website or application background, so as to gain database access permissions. For example, hackers can exploit the website code vulnerability to obtain all the data in the background database of a company's website through SQL injection. After obtaining the username and password of the database administrator, the hacker can freely modify the database content or even delete the database. SQL injection can also be used to verify the security of a website or application. There are many SQL injection methods, but this article will only discuss the most basic principles. We will take PHP and MySQL as examples. The example in this article is very simple. If you use other languages, it will not be difficult to understand. Just focus on SQL commands.

A simple SQL injection attack case

Assume that we have a company website that stores all customer data and other important information in the background database of the website. Assume that the Code on the website logon page contains such a command to read user information.

<?$q = "SELECT `id` FROM `users` WHERE `username`= ' " .$_GET['username']. " ' AND `password`= ' " .$_GET['password']. " ' ";?>

Now a hacker wants to attack your database. He will try to enter the following code in the username input box on the logon page:

'; Show tables;

Click the login key. This page displays all tables in the database. If he uses the following command:

'; Drop table [table name];

In this way, a table is deleted!

Of course, this is just a simple example. The actual SQL injection method is much more complicated than this one. hackers are willing to spend a lot of time trying to attack your code. Some program software can also automatically try SQL Injection

Attack. After understanding the principles of SQL injection attacks, let's take a look at how to prevent SQL injection attacks.

 

Prevent SQL Injection-use the mysql_real_escape_string () function

In the database operation code, use this function mysql_real_escape_string () to filter out special characters in the Code, such as quotation marks. For example:

<?$q = "SELECT `id` FROM `users` WHERE `username`= ' " .mysql_real_escape_string( $_GET['username'] ). " ' AND `password`= ' " .mysql_real_escape_string( $_GET['password'] ). " ' ";?>

Prevent SQL Injection-use the mysql_query () function

Especially for mysql_query (), it will only execute the first SQL code, but will not be executed later. In the previous example, the hacker executed Multiple SQL commands in the background using code to display the names of all tables. Therefore, the mysql_query () function can be further protected. We further evolved the code and got the following code:

<? //connection$database = mysql_connect("localhost", "username","password");//db selectionmysql_select_db("database", $database);$q = mysql_query("SELECT `id` FROM `users` WHERE `username`= ' " .mysql_real_escape_string( $_GET['username'] ). " ' AND `password`= ' " .mysql_real_escape_string( $_GET['password'] ). " ' ", $database);?>

In addition, we can determine the length of the input value in the PHP code, or use a function to check the input value. Therefore, you must filter and check the input content where user input values are accepted. Of course, it is also very important to learn and understand the latest SQL injection methods so that we can prevent them with purpose. If you are using a desktop website system such as Wordpress, be sure to promptly install official patches or upgrade to a new version. Leave a message in the comment area if you do not know anything or do not understand it.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.