SQL Injection and how to prevent it
- Thread starter fluiduk
- Start date
Dont trust user input! check out: http://php.robm.me.uk/
Don't know about PHP, but in .net you can send parameters off with SQL commands which pretty much get rid of the need to worry about injection. e.g.
Then you simply attach to that command object a parameter object telling you that @id=4839. If
is sent in the form, the parameter handles converting the input into a literal, and it never gets passed as a command. Like I said, worth looking into if there's something similar in PHP.
*edit* actually read the link - seems like there's some good functions there which negate having to do any regexps or anything like that.
Code:
SELECT * FROM tbl WHERE id=@id;Then you simply attach to that command object a parameter object telling you that @id=4839. If
Code:
3; DROP DATABASE chuckles;is sent in the form, the parameter handles converting the input into a literal, and it never gets passed as a command. Like I said, worth looking into if there's something similar in PHP.
*edit* actually read the link - seems like there's some good functions there which negate having to do any regexps or anything like that.
hey mate
in both your username and password boxes type this:
' or 'x'='x
if your not checking the input the above will most likely let you in assuming your only checking if there is more than 0 records in the record set
if your on mysql i think you might have to change the query slightly:
" or "x"="x
don't know mysql but ive always thought basic queries were the same syntax.
having been a victim of sql injection, i have learnt how important it is to check EVERY input. you can even do it in a URL query string.
Check out "regular expressions" i use these to filter input. IE only allow characters a-z though. you will either get true or false with it. depending on that act upon it by stopping it before the sql query is executed and redirected them to the login page with a message - login.php?error=10
error 10 being an invalid character message or just bad login etc.
by the way im an ASP man myself, but the above principles still apply to PHP.
in both your username and password boxes type this:
' or 'x'='x
if your not checking the input the above will most likely let you in assuming your only checking if there is more than 0 records in the record set
if your on mysql i think you might have to change the query slightly:
" or "x"="x
don't know mysql but ive always thought basic queries were the same syntax.
having been a victim of sql injection, i have learnt how important it is to check EVERY input. you can even do it in a URL query string.
Check out "regular expressions" i use these to filter input. IE only allow characters a-z though. you will either get true or false with it. depending on that act upon it by stopping it before the sql query is executed and redirected them to the login page with a message - login.php?error=10
error 10 being an invalid character message or just bad login etc.
by the way im an ASP man myself, but the above principles still apply to PHP.
