SQL injection

[Perfection]

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, user input must be escaped or filtered or parameterized statements must be used.

[Perfection]

During data base querry, you might ask the user for a user ID and password, then check for the user by passing the database a query and checking the result.

Code:

SELECT * FROM users WHERE name='$username' AND pass='$password';

However, if the user who's logging in is devious, he may enter the following as his password:

Code:

' OR '1'='1

This results in the query being sent to the database as:

Code:

SELECT * FROM users WHERE name='known_user' AND pass='' OR '1'='1';

This will return the username without validating the password -- the malicious user has gained entry to your application as a user of his choice.


To alleviate this problem, you need to escape dangerous characters from the user-submitted values, most particularly the single quotes ('). The simplest way to do this is to use PHP's addslashes() function.

Code:

$username = addslashes($_POST["username"]); 
$password = addslashes($_POST["password"]);

[Perfection]

Set the magic_quotes_gpc variable php.ini to Off, will automatically apply addslashes to all values submitted via GET, POST or Cookies.

Code:

if (get_magic_quotes_gpc()){ 
  $_GET = array_map('stripslashes', $_GET); 
  $_POST = array_map('stripslashes', $_POST); 
  $_COOKIE = array_map('stripslashes', $_COOKIE); 
}