Home > Article > Backend Development > PHP and SQL injection attacks_PHP tutorial
PHP and SQL injection attacks_PHP tutorial
- WBOYOriginal
- 2016-07-13 17:43:171013browse
SQL injection attack is the most common method used by hackers to attack websites. If your site does not use strict user input validation, it is often vulnerable to SQL injection attacks. SQL injection attacks are usually implemented by submitting bad data or query statements to the site database, which may cause records in the database to be exposed, changed or deleted. Let’s talk about how SQL injection attacks are implemented and how to prevent them.
Look at this example:
// supposed input
$name = “ilia’; DELETE FROM users;”;
mysql_query(“SELECT * FROM users WHERE name=’{$name}’”);
It is obvious that the last command executed by the database is:
SELECT * FROM users WHERE name=ilia; DELETE FROM users
This had disastrous consequences for the database - all records were deleted.
But if the database you are using is MySQL, then fortunately, the mysql_query() function does not allow you to directly perform such operations (you cannot perform multiple statement operations in a single line), so you can rest assured. If the database you are using is SQLite or PostgreSQL and supports such statements, you will face disaster.
As mentioned above, SQL injection mainly submits unsafe data to the database to achieve the purpose of attack. In order to prevent SQL injection attacks, PHP comes with a function that can process the input string and perform preliminary security processing on the input at the lower level, that is, Magic Quotes. (php.ini magic_quotes_gpc). If the magic_quotes_gpc option is enabled, single quotes, double quotes, and other characters in the input string will be automatically preceded by backslashes.
But Magic Quotes is not a very universal solution, it does not block all potentially dangerous characters, and Magic Quotes is not enabled on many servers. Therefore, we also need to use various other methods to prevent SQL injection.
Many databases themselves provide this input data processing function. For example, PHP's MySQL operation function has a function called mysql_real_escape_string(), which can escape special characters and characters that may cause database operation errors.
Look at this code:
//If Magic Quotes function is enabled
if (get_magic_quotes_gpc()) {
$name = stripslashes($name);
}else{
$name = mysql_real_escape_string($name);
}
mysql_query(“SELECT * FROM users WHERE name=’{$name}’”);
Note that before we use the functions provided by the database, we must determine whether Magic Quotes is turned on, just like in the above example, otherwise an error will occur if the process is repeated twice. If MQ is enabled, we have to remove the added ones to get the real data.
In addition to preprocessing the above data in string form, when storing Binary data in the database, you should also pay attention to preprocessing. Otherwise, the data may conflict with the storage format of the database itself, causing the database to crash, data records to be lost, or even the entire database to be lost. Some databases, such as PostgreSQL, provide a function pg_escape_bytea() specially used to encode binary data, which can encode the data similar to Base64.
For example:
// for plain-text data use:
pg_escape_string($regular_strings);
// for binary data use:
pg_escape_bytea($binary_data);
In another case, we also need to adopt such a mechanism. That is, multi-byte languages such as Chinese, Japanese, etc. that are not supported by the database system itself. Some of them have ASCII ranges that overlap with binary data ranges.
However, encoding the data may cause query statements like LIKE abc% to fail.