Home >Backend Development >PHP Tutorial >Anti-SQL injection code to prevent SQL injection in PHP
1. Types of Injection Attacks
There may be many different types of attack motivations, but at first glance, it seems that there are more types. This is very true - if a malicious user finds a way to perform multiple queries. We will discuss this in detail later in this article.
For example
If your script is executing a SELECT instruction, then an attacker can force the display of every row in a table - by injecting a condition such as "1=1" into the WHERE clause, as shown below (where the injection part is shown in bold):
SELECT * FROM wines WHERE variety = 'lagrein' OR 1=1;'
As we discussed earlier, this in itself can be useful information because it reveals The general structure of the table (which is not possible with an ordinary record), and potentially showing records containing confidential information.
An updated directive potentially poses a more immediate threat. By placing other attributes in the SET clause, an attacker can modify any field in the record currently being updated, such as the following example (where the injected part is shown in bold):
UPDATE wines SET type='red ','vintage'='9999' WHERE variety = 'lagrein'
By adding a true condition such as 1=1 to the WHERE clause of an update instruction, this modification range can be extended to each record, For example, the following example (where the injection part is shown in bold):
UPDATE wines SET type='red', 'vintage'='9999 WHERE variety = 'lagrein' OR 1=1;'
The most dangerous instruction is probably DELETE - It's not hard to imagine. The injection technique is the same as what we've already seen - extending the scope of affected records by modifying the WHERE clause, as in the example below (where the injected part is in bold):
DELETE FROM wines WHERE variety = 'lagrein' OR 1=1;'
2. Multiple query injection
Multiple query injections will exacerbate the potential damage an attacker can cause - by allowing multiple destructive instructions to be included in a single query. When using the MySQL database, an attacker can easily achieve this by inserting an unexpected terminator into the query - an injected quote (single or double) marks the end of the expected variable; Then terminate the directive with a semicolon. Now, an additional attack command may be added to the end of the now terminated original command. The final destructive query might look like this:
Copy code The code is as follows:
SELECT * FROM wines WHERE variety = 'lagrein';
GRANT ALL ON *.* TO 'BadGuy@%' IDENTIFIED BY 'gotcha';'
Copy code The code is as follows:
$mid = intval($std->my_getcookie('member_id'));
$pid = $std->my_getcookie('pass_hash');
Copy code The code is as follows:
if ( ! in_array( $name,array('topicsread', 'forum_read', 'collapseprefs') ) )
{
return $this->
clean_value(urldecode($_COOKIE[$ibforums->vars['cookie_id'].$name]));
}
else
{
return urldecode($_COOKIE[$ibforums->vars['cookie_id'].$name]);
}
After such correction, the key variables are returned after "passing" the global clean_value() function, while other variables are not checked.
Now, now that we have a general understanding of what SQL injection is, how it works, and how vulnerable this injection is, let’s explore how to effectively prevent it. Fortunately, PHP provides us with a wealth of resources, so we can confidently predict that an application carefully and thoroughly built using our recommended techniques will essentially eliminate any possibility of SQL from your scripts. Injection - This is achieved by "cleaning" your user's data before it can cause any damage.
4. Define each value in your query
We recommend that you make sure you define each value in your query. String values are the first to be affected, as are things you would normally expect to use "single" (rather than "double") quotes. On the one hand, if you use double quotes to allow PHP variable substitution within the string, it makes typing queries easier; on the other hand, this (admittedly, only minimally) will also reduce the amount of PHP code in the future. analysis work.
Next, let us use the non-injection query we used at the beginning to illustrate this problem:
SELECT * FROM wines WHERE variety = 'lagrein'
Or expressed in PHP statements as:
$query = "SELECT * FROM wines WHERE variety = '$variety'";
Technically, quotes are not required for numeric values. However, if you don't mind using quotes around a value for a field like wine and if your user enters a null value into your form, then you'll see a query like the following :
SELECT * FROM wines WHERE vintage =
Of course, this query is syntactically invalid; however, the following syntax is valid:
SELECT * FROM wines WHERE vintage = ''
The second query will (probably ) will return nothing, but at least it won't return an error message.
5. Check the type of value submitted by the user
From the previous discussion, we can see that so far, the main source of SQL injection often comes from an unexpected form entry. However, when you offer the user the opportunity to submit certain values via a form, you should have a considerable advantage in determining what input content you want to obtain - this can make it easier to check the validity of the user's entry. In previous articles, we have discussed such verification issues; so, here we will only briefly summarize the main points of our discussion at that time. If you are expecting a number, then you can use one of these techniques to ensure that what you are getting is actually a numeric type:
· Use the is_int() function (or is_integer() or is_long()).
· Use the gettype() function.
· Use the intval() function.
· Use the settype() function.
To check the length of user input, you can use the strlen() function. To check whether a desired time or date is valid, you can use the strtotime() function. It will almost certainly ensure that a user's entry does not contain a semicolon character (unless punctuation can be legally included). You can easily achieve this with the help of strpos() function as shown below:
if( strpos( $variety, ';' ) ) exit ( "$variety is an invalid value for variety!" );
As we did in As mentioned earlier, as long as you carefully analyze your user input expectations, you should be able to easily detect many problems.
6. Filter out every suspicious character from your query
Although in previous articles, we have discussed how to filter out dangerous characters; but here, let us briefly emphasize and summarize this issue again :
· Do not use the magic_quotes_gpc directive or its "behind-the-scenes partner" - the addslashes() function. This function is restricted in application development and requires an extra step - use the stripslashes() function.
· In comparison, the mysql_real_escape_string() function is more commonly used, but it also has its own shortcomings.
The above introduces the code to prevent SQL injection in PHP, including the content of preventing SQL injection. I hope it will be helpful to friends who are interested in PHP tutorials.