16
The number one security topic present in applications that use PHP is the SQL injection. This is because PHP allows for web developers to make unfortunate mistakes when it comes to creating their SQL queries. But thankfully, fixing the problem is easy: all that is necessary is a few tips in security.
SQL injections are defined by the vulnerability in the SQL query that PHP developers make use of. When the developer in question puts forth an SQL query, he or she needs to make an effort to validate any input that could come from any web form or entry field. A simple input statement such as “a’ OR ‘a’='a’” could compromise the security of one’s database with ease.
Magic quotes have long helped web developers secure their SQL query statements. But as it stands today, this function is depreciated and no longer in use. Magic quotes have received a bad reputation since they do escape quotes- but they do so on the entire input, and not necessarily just a certain field we need to escape. Magic quotes are a hassle, and can even lead to performance issues. Thus, developers tend to ignore them.
The common way to protect against an SQL injection attack is to simply use the mysql_real_escape_string() function that PHP has support for. When passing POST values through this function, the result becomes an escaped string that can’t be used to manipulate an SQL query- perfect for our situation.
Oddly enough, we can create a greater sense of security through creating more user accounts via our SQL program. We can assign different types of access to different users, which would make it quite hard for attackers to get full access to our database should they find a hole somewhere. Having a user for creating, deleting, and inserting data is a good idea to help split up responsibility.
A special word of advice for PHP developers: don’t buy into programs that claim they prevent SQL injections through their classes or web applications. While they may indeed do so, stopping an SQL injection is just as simple as using the previously mentioned function- no need to waste one’s money! Alternatively, SQL injection scanners can be used to help find holes.
Final Thoughts
SQL injections are never a pretty sight. They ruin databases, can be a security risk to users of the website, and they even can destroy entire websites. Thus, it’s good to either hire developers that know what they are doing or to brush up on some security topics by one’s self. Doing so can save a world of hurt for a webmaster, as well as quite a bit of money from not having to buy mock applications that claim to do the “hard work” for webmasters. In the end, it’s recommended developers pick up a good book or visit their favorite PHP security websites to stay informed.
Leave a Reply