| CityLinkPCs » Programming » Points In PHP And SQL Security Topics Explained |
Points In PHP And SQL Security Topics Explained
|
View PDF | Print View |
One of the biggest flaws in the PHP language is the fact that it allows for web developers to make very big mistakes in regards to security. One example of this is through SQL injections- an exploit that malicious users take advantage of when web developers don't accurately safeguard their application.
It's rather frightening to think that a statement such as "b' OR 'b'='b'" can render one's security useless. But this is indeed true, and is what we call an SQL injection. SQL injections have been the most popular way to "hack" a website in recent years. As long as the input can be validated before it is passed along to the SQL query, we can ensure that nothing bad will go wrong.
As long as we can escape the quote that needs to be used in the injection, we can prevent any type of harm that may come to a web application. The first way to accomplish this is to simply use magic quotes. It should be noted that magic quotes are no longer supported as of PHP 6, and shouldn't be used. Instead, we leave SQL injection prevention up to a newer and more dependable command.
Using the "mysql_real_escape_string()" function will enable web developers to escape quotes properly. And unlike magic quotes, this function will only escape quotes that we need. Keep in mind that when using this function, it may be necessary to use the "striplslashes()" function to counteract the slashes that are being outputted as a result.
Another good way to prevent SQL injections is to simply restrict authority in SQL users where possible. For instance: it would be a good idea to create individual users that do specific things: such as create a table or update rows in the said table. This can help make the task of ruining one's hard work much harder for malicious web users, although it's a lot more work for webmasters (Although well worth it).
It should be noted that programs and web applications that stop SQL injections should not be obtained- since they commonly cost quite a bit of money. As long as webmasters take precautions with what they create, there should be no reason to spend hundreds of dollars on software that only makes use of escape characters and formatting data correctly. This type of application is created to con webmasters into buying something they don't need- so dont fall victim to them!
Closing Comments
SQL injections are never a pretty sight. They ruin databases, can be a security risk to users of the website, and they even can destroy entire websites. Thus, it's good to either hire developers that know what they are doing or to brush up on some security topics by one's self. Doing so can save a world of hurt for a webmaster, as well as quite a bit of money from not having to buy mock applications that claim to do the "hard work" for webmasters. In the end, it's recommended developers pick up a good book or visit their favorite PHP security websites to stay informed.
About the Author
Learn more on Learn SQL Injection and SQL Injection Table.
Rating: Pending (35)
