Friday, November 9, 2007

For PHP Web Developers

I realize that the interested audience for this post is probably pretty limited, but I think this is an important topic. It is so common to see SQL Injection vulnerabilities in code these days for a multitude of reasons.

I think the prime reason, at least in many academic settings, is that we use homegrown applications that have not been updated in years. I'm sure that these applications were written very well for their day, but that was a different time than now. Nowadays, the prime concern in writing code is security, given the modern boom in easily exploited vulnerabilities.

The most frequent offender, I think, is the application vulnerable to SQL Injections. A SQL Injection is an attack where a malicious user enters SQL into a field on a webform. If the application that processes the form does not take care to parse out any code that was injected from the form, this maliciously-injected SQL can be executed by the database engine. If permissions are lax, this could even be used to delete your entire database!

The cure? In PHP it's pretty simple; just make sure that you run all of your form data through the mysql_escape_string() method before sending it off to the database. In essence, this method parses out characters necessary to perform SQL Injections - quotes, semicolons, etc.

No comments: