The Absent Minded

One of the biggest flaws in the PHP language is the fact that it allows for web developers to make very big mistakes in regards to security. One example of this is through SQL injections- an exploit that malicious users take advantage of when web developers don’t accurately safeguard their application.

It’s rather frightening to think that a statement such as “b’ OR ‘b’='b’” can render one’s security useless. But this is indeed true, and is what we call an SQL injection. SQL injections have been the most popular way to “hack” a website in recent years. As long as the input can be validated before it is passed along to the SQL query, we can ensure that nothing bad will go wrong.

PHP developers have used the magic quotes function to help safeguard against SQL injections. Magic quotes are no longer in use, however, since they were more of a hassle than anything. It is recommended that if a developer has used magic quotes, he or she should remove them since they are no longer supported as of PHP 6. Thus, we need to look elsewhere for a security solution.

There is but one simple solution when it comes to getting rid of the threat of an SQL injection. This simplle solution comes via the function mysql_real_escape_string(). This function was created specifically for safeguarding against SQL injections, so it’s well worth the time to use. Just pass any values being inserted through this function, and the result is a perfectly escaped string.

Another good way to prevent SQL injections is to simply restrict authority in SQL users where possible. For instance: it would be a good idea to create individual users that do specific things: such as create a table or update rows in the said table. This can help make the task of ruining one’s hard work much harder for malicious web users, although it’s a lot more work for webmasters (Although well worth it).

It should be noted that programs and web applications that stop SQL injections should not be obtained- since they commonly cost quite a bit of money. As long as webmasters take precautions with what they create, there should be no reason to spend hundreds of dollars on software that only makes use of escape characters and formatting data correctly. This type of application is created to con webmasters into buying something they don’t need- so dont fall victim to them!

Closing Comments

There isn’t much effort that needs to be exerted in order to declare a database safe from harm. All that is needed is a little prevention- which comes from avid usage of the function and design principles previously stated. It may also be a good idea to use SQL injection scanners on large web applications to cover holes that might not have been covered over the course of the development period.

Learn more about Defend SQL Injection and Defend SQL Injection.

This entry was posted on Thursday, July 31st, 2008 at 12:08 am and is filed under Communications, Computers, General, Internet Business. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.