digg

Facebook Connect Join Digg About

Protecting Your PHP/MySQL Applications from SQL Injection

metatitan.com SQL injection is a serious concern for webmasters, as an experienced attacker can use this hacking technique to gain access to sensitive data and/or potentially cripple your database. Are you safe?

Who dugg this? Made popular Oct 21, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

97 Comments

show profanity settings
expand all
  • PunkFenixJT, on 10/28/2007, -1/+70Ah thank you for teaching me that so i can now protect my databases against Little Bobby Tables.
  • OutThisLife, on 11/12/2007, -2/+41mysql_real_escape_string()
  • init100, on 10/22/2007, -0/+19I suggest using PDO and prepared statements instead.

    http://www.php.net/manual/en/ref.pdo.php
  • loconet, on 10/31/2007, -7/+23How does this stuff still make it to the front-page?
  • webweb, on 10/25/2007, -0/+15It's a nice article if you're new to PHP or the premise of SQL injection, but as stated by others, this is barely an article. It doesn't explain why SQL injections happen, thus anyone trying to protect their site will blindly use mysql_real_escape_string and think they're completely safe.

    Anyone serious about their web development should definitely look at http://www.owasp.org/ which not only has valuable information on SQL injection, but also other attacks such as Cross Site Scripting (XSS), brute forcing, SSI Injection, etc. It also has tips on how to secure against them.

    Additionally, the official PHP manual has a great start into protecting your application along with some examples at http://php.net/manual/en/security.database.sql-inj ...

    Securiteam has a decent article which is perfect for beginners: http://www.securiteam.com/securityreviews/5DP0N1P7 ...

    Anyone that's using addslashes to protect their code should read through http://shiflett.org/blog/2006/jan/addslashes-versu ... and make the switch quickly.

    And finally, anyone that wants their code to be safe thanks to tried and tested code should be using one of the readily available libraries or frameworks such as:
    - Pear's MDB2 is extremely popular and has support for prepared statements: http://pear.php.net/package/MDB2 .
    - While it's much more than just a library, the Zend Framework has recently had a 1.0 release and is perfect for encouraging good and secure code: http://framework.zend.com/

    I hope that helps! :)
  • mikerand, on 10/22/2007, -1/+13For any programming language, when using sql, you really need to pass your values to the database separately. The example for this link shows how it's done with php. With java/jdbc you would use parameterized sql where the sql statement has ? for each value and further code sets the values for each.
    Stay away from building a sql statement as a string with all the values embedded in it. This also helps when special characters need to go in the database.
  • inactive, on 10/21/2007, -1/+12You mean, like generating static HTML page from the SQL data? I imagine you would still have to filter user inputs at some point before adding it in the database.
  • cr3ative, on 10/22/2007, -5/+16LOOK AT ME, I'M INSULTING A WEB DEVELOPMENT LANGUAGE! HA! HA!
  • noahhoward, on 10/22/2007, -1/+12Could you go into some detail about what you mean and the alternatives? Or link to some resources?
  • sat0ri, on 10/22/2007, -0/+9You're on the money here. Never build queries as strings, always use parametrized queries, and you will always be fine.
  • staplez, on 10/27/2007, -0/+9Uh even if it's not in the "service" layer, but you put it into a "data model" layer, you still need to escape special characters to prevent SQL injection. If you simply take it out of the "service" layer, it will still return the characters to the "data" layer and it will still spit out the stuff you don't want. This is why I HATE the tier model of development. It gives people a totally false sense of security. Oh if it's not in this or that layer it'll be OK. Lo and behold they get hacked.
  • seanjanis, on 10/22/2007, -0/+8http://xkcd.com/327/
  • Loserbait, on 10/23/2007, -0/+7Late by 2 minutes
  • sifiblog, on 10/25/2007, -2/+9Don't forget to protect your $_GET variables too. Check to see if the user input is of the expected type i.e. is_numeric() will verify a $_GET is a number.
  • nirvaorg, on 10/25/2007, -1/+8Cant believe in 393 diggs! its 2007
  • Dustin00, on 10/25/2007, -3/+9Good god, if you still don't know how to do this, pick a new career path!
  • surfshaker, on 10/25/2007, -0/+6Examples like this a useless. What is this trying to teach us?
    Usage of sprintf and %s does not make it any more safer than an inline variable. Maybe if the example was using integers in the sprintf as in %d, it could show some advantage, as it would limit it to an integer value, but with %s there is zero advantage.
    So the real meat here is "escape your mysql variable". Ummm, yeah thanks for the tip.
    Here is another tip...don't use "god" as your root password....can I get 500diggs for that?
  • Tippis, on 10/22/2007, -0/+6Good thing that PHP supports the same thing....
    Of course, this article doesn't go into that, since it's a pretty ***** lousy article, but the functionality is there, so that's a fault of the author, not of the language.
  • brokentone, on 10/22/2007, -0/+5Way to summarize the story in one line. Dugg the comment, but buried the the story.
  • goatcaca, on 10/24/2007, -1/+6ummm prepared statements anybody?
  • prthealien, on 11/02/2007, -0/+4I'm just barely learning SQL and PHP. This is very helpful to me, thanks!
  • Metal_Hurlant, on 10/22/2007, -0/+4If you have to remember to do something special every time you use your DB to avoid a security bug, you're doing it wrong.

    If your code is full of mysql_query("SELECT ".$stuff." FROM ".$godknowswhat." WHERE ".$letshopethiswasescaped), you have no way of easily figuring out if you have a problem or not.

    Use prepared statements, or at least use some kind of common abstraction that guarantees sanitization of your SQL parameters.
    Then use it consistently. Grep your code for raw mysql_query() calls and get rid of it.
  • fantata, on 10/21/2007, -4/+7PHP isn't pathetic at all, just use PHP well. It's still the most used server side language on the web and will continue to be formany years i would have thought. I don't know how this is top of the front page though, slow digg day. It is something that all PHP developers need to know about, however.
  • malkir, on 10/22/2007, -3/+6C#
    SqlCommand cmd = new SqlCommand(conn, sql);
    cmd.Parameters.AddWithValue("ParameterName", value);

    Architecturally you shouldn't be writing sql in anything but some form of data access layer. In this day and age ORM's (object relational mappers) are your best bet for speedy development. You get better maintainability and a faster development cycle.
  • estacado, on 10/22/2007, -0/+3These kinds of stuff is supposed to make the front page. Oh I miss the good ol' days....
  • inspireology, on 10/21/2007, -0/+3I was expecting a really useful in-depth article, but this is barely a useful comment :(
  • BabaRamDass, on 10/21/2007, -0/+3Bind variables escape the characters at one level or another; it's just the step has become abstracted from the programmer. His point still stands.
  • tsigo, on 10/22/2007, -1/+4Buried, might as well just link to the PHP manual for mysql_real_escape_string() for all the information that "article" provided.
  • Quakes, on 10/21/2007, -0/+3What's wrong with just "$id = (int) $_GET['whatever']"....?
  • estacado, on 10/21/2007, -0/+2The Iraq.
  • inactive, on 10/24/2007, -1/+3It would be so much easier were not for the idiotic feature called magic quotes. Magic quotes, my ass!
  • Fordi, on 10/22/2007, -0/+2Regardless of how you do it (mres, pdo, homebrew object exchange), ESCAPE YOUR DATA BEFORE QUERYING.

    http://xkcd.com/327/
  • echolyean, on 10/22/2007, -0/+2Simply because your experience in this field has lead you to the point where such a task is trivial, does not mean everyone should be at that point - or else give up. It's a learning process. Not everyone starts out day 1 knowing all there is to know about their field. That'd be pretty boring, anyway.
  • Haplo, on 10/22/2007, -1/+3"With java/jdbc you would use parameterized sql where the sql statement has ? for each value and further code sets the values for each."

    Same with Perl. IMO any decent programming language should have a library/driver providing this instead of crippled escape/magic_quote garbage.
  • brokentone, on 10/21/2007, -0/+2Good call on PDO. . . we should link to your comment instead.
  • saifatlast, on 10/21/2007, -0/+2Is numeric allows things like exponential notation, which you don't want.
  • UnnDunn, on 10/21/2007, -1/+3I was about to say "or you could just use ASP.net + ADO.net and not have to worry about such things."

    But you beat me to it.
  • blazes816, on 11/02/2007, -3/+5It has nothing to do with php. It has to do with crappy developers.
  • zbarnett, on 10/22/2007, -0/+2Digg isn't a "Social News" site, it's a "Geek Hack Updates" site...right?
  • bradleyland, on 10/22/2007, -1/+3What the hell are you talking about? Other platforms that don't access a database?

    If you're referring to frameworks, then you're really off your rocker, because PHP is not a framework, it's a language. Compare to one of the many quality PHP frameworks out there and you've got a much harder argument to make.

    Even still, most frameworks will give you the ability to run raw SQL at some point, so again, this is still pertinent. My gripe with the article is that it presents mysql_escape_string() as the sole line of protection needed to prevent SQL injection attacks, which is laughable.
  • icsbase, on 10/22/2007, -1/+3This injection technique was used recently against several webservers in Finland. The attackers got nearly 80 000 usernames, passwords and emails out of MYSQL databases due to outdated PHP & MYSQL software. So protect your servers right and secure your code.
  • iChainsaw, on 10/21/2007, -0/+2you may be right about that...but no programming languages are perfect.
  • petdance, on 10/24/2007, -0/+1Except that it's a maintainability monstrosity, and doesn't allow you to reuse prepared statements. Please look into bind variables.
  • tech42er, on 10/21/2007, -0/+1Oh, damnit. Well done, Punk. Well done.
  • zammit, on 10/22/2007, -0/+1get_magic_quotes_gpc()
  • Fordi, on 10/22/2007, -0/+1What gets me about this:
    Anyone who's even looked at a database tutorial, let alone taken a class that dealt in databasing (and hell, even a geeky comic), has had this drilled into their heads: SANITIZE YOUR DAMNED INPUT. So a half-page 'story' on it is Digg-worthy?

    I realize that a lot of people *don't* do this, but that's called a lazy programmer. They know what they're *supposed* to do, they just don't do it.
  • Eevee, on 10/22/2007, -0/+1As opposed to the mysql_fake_escape_string(). Thanks, PHP.
  • Error601, on 10/22/2007, -0/+1Why would you think there would be a SQL syntax escape when the data is introduced after parsing?
  • petdance, on 10/24/2007, -0/+1If you're new to SQL and PHP, then this article is sending you down the wrong path. The solution isn't doing escapes on your variables, but in using prepared statments and bind variables.
  • Fetching more discussions...
    Show 51 - 98 of 98 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.