Pin It

Protect Your Website Against SQL Injection




Hacker-one: “ YES, I DID IT !!! “

Hacker-two: “What ? “

Hacker-one:” I HACKED ANOTHER SITE!!! “

Hacker-two: “Great!!! How did you do that? “

Hacker-one:” SQL INJECTION !!! :p “


Yes, one of the common methods that are being used by hackers is SQL INJECTION.

Sites get hacked by the sql injection due to the loop hole that is left by developers most of the times while developing a web application.

I will be explaining you today how to avoid SQL INJECTION when you are developing a web application with PHP.

I will be explaining with the help of an example, suppose we have text fields on our form

1. User Name

2. Password

and a login button.

When we login, the validation for the valid user is checked on the back-end. If the user is a valid user, he logs into the system else an error message “incorrect username or password” is shown.

What happens on the back-end,

$userName=$_POST[‘userName’];


$password =$_POST[‘password’];

$sqlQuery=”select * from users where user_name= ‘”.$userName.”’ and user_password= ‘”.$password.”’ ;  ”;

This is where the developer has left a loop hole if instead of password I enter  ‘ or ‘a’=’a the password field has the value


$password is  ‘or ‘a’=’a

Lets place this value in query and the query becomes

$sqlQuery=”select * from users where user_name= ‘”.$userName.”’ and user_password=’ ‘or ‘a’=’a’;   ”;

You can see clearly , password doesn’t match but the other statement  a=a matches so  OR operator will work and the user will login into the system without knowing the actual password. I can even give you the names of some famous websites  where you can inject sql or use this technique.

HOW TO AVOID IT ???

Don’t treat the field values as mentioned above

Use this function

function BlockSQL Injection($str){           

return str_replace(array("'",""","'",'"'), array("'",""","'","""), $str);

}

This will replace the characters( that can break the string) in the string.

So you can use this function as

$userName= BlockSQL Injection ($_POST[‘userName’]);


$password = BlockSQL Injection ($_POST[‘password’]);


Now the hacker wont be able to break the QUERY STRING.

We have many frameworks in PHP that provide this functionality such as quotes_to_entities($string) in CODE IGNITER.

Use some desgin pattern when you are building a big application, model, controller, your view layers and DAO (data access object layer) must be implemented to make it losely coupled and extensible.

A huge number of sites have been developed in core php, where we don’t use any framework. Wordpress is very secure but when it comes to PLUGINS (that we donwload and use), they can have the loop holes inside them. Stay alert while developing web applications, you never know when you are gonna get hacked. Stay blessed! :)

Good Luck !


About The Author

Danyal Sandeelo is a Software Developer at "breezecom", He is the newest member of Team RHA, He blogs on http://blog.votemypic.com

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA


Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!


Tags:


Kindly Bookmark it and Share it with Friends:

15 comments :

M.Gazzaly on April 19, 2012 at 8:53 AM said...

Hum!! Nice one Welcome to RHA family but some more explanation will be helpful for people like new web developers

Regards
M.Gazzaly
(http://www.gazzaly.info)

Facebook Application Developer on April 23, 2012 at 1:43 AM said...

I usually don’t comment on blogs but this blog inspired me to make one compliment as I know it’s not enough for the meaningful context in your writing as one could understand it easily, will refer this blog to my friends to gather such informative insights.

Anonymous said...

did u teach how to facebook a/c and other emails...
plz teach.... sir

ashish on May 1, 2012 at 7:42 AM said...

I recently moved to wordpress from blogger so i don't know a lot about php coding.can you please explain this more.i mean where can i add those functions on my code?

Facebook Application Development on December 17, 2012 at 5:19 AM said...

Thanks for sharing this information with us. Your material is up to date and quite informative, I would like to bookmark this page so I can come here to read this again, as you have done a wonderful job.

Custom iPhone App Development on December 20, 2012 at 3:49 AM said...

This is a great inspiring blog. I am pretty much pleased with your good work.You put really very helpful information.

alex on December 20, 2012 at 11:41 PM said...

Nice post having excellent contents.This is exactly what I’ve been looking for.Thank you very good
Logo Designs

alex on December 28, 2012 at 2:55 AM said...

There Is Obviously a lot to know about this. I suppose you made Some Great points in the Feature also.

Logo Design Tips

Social Documentary on March 29, 2013 at 3:38 AM said...

Thanks for the informative writing. Would mind updating some good tips about it. I still wait your next place. ;)

Custom Writing on May 10, 2013 at 12:47 AM said...

This is definitely an amazing website for a beginner to get started.

Anonymous said...

Nice Article Bro.But simple way is to use parameterized queries instead of passing into them directly

super food on July 18, 2013 at 11:46 PM said...

I'd like to thanks for that initiatives you get on paper this short article. My spouse and i look forward to more of your amazing blogs. for more info click here super food

Pitts Burgh on July 24, 2013 at 9:59 PM said...

Hum!! Nice one Welcome to RHA family but some more explanation will be helpful for people like new web developers.
t shirts printing

PSD To Wordpress on September 2, 2013 at 3:39 AM said...

Very interesting article. I've always been interested in knowing more about this.

Airport Taxi on April 7, 2014 at 7:22 AM said...

Thank you for this..
Airport Taxi

Dare to ask? :)

Blog Archive

 

Recent Comments

About

Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.