Comments on: Preventing SQL Injection with MySQL and PHP

By: Doogie

Doogie — Sat, 13 Mar 2010 13:45:21 +0000

Hi Elizabeth New and creative ways to hack sites are always emerging. The basic test is the one mentioned in the article. Many sites will fail that simple test. You can do a search for "SQL injection test" and you will find several methods to test for vulnerability. The definitive source for information appears to be OWASP.org. You will find links to several excellent articles on that page that cover a range of server-side languages. SQL injection can be prevented simply by blocking certain characters that are required for an attack. That is what mysql_real_escape_string does. That function was developed by the MySQL team.

By: Elizabeth

Elizabeth — Sat, 13 Mar 2010 12:49:53 +0000

Hi, Although I have been programming for several years, I am new to php. I am looking into the security of websites that use forms and databases for user interaction. I have been searching online and have found many different suggestions to help secure my site against mysql injection and xss. I have used your above code to help in cleaning out any unwanted characters within my sql statements, what I am wondering is there any way to test a webpage to see if it passes an injection. Since I am no way as good as a those who do these bad things I would find it helpful if there was a way to test my pages to make sure that they are at least fairly secure. Do you have any suggestions? And thank you for the above function, it saved me the time from writing my own.

By: Arnor Baldvinsson

Arnor Baldvinsson — Thu, 11 Feb 2010 19:16:41 +0000

Thanks for the article! I just want to say that SQL Injections have nothing to do with the programming langue that constructs the queries. It has to do with the developer writing the programming code to do his or her job and make sure that he or she does not allow malicious SQL statements through to the back end. It’s a question of string parsing and the language can certainly help with that, but the responsibility is with the developer who writes the code to try to prevent injections going through to the backend:)

Stored procedures do not really help since you will strill need to pass information to the sp so it can do it’s job. If you are passing a filter to it which includes “;DROP TABLE USERS” or whatever the syntax is, and the sp takes the filter straight into a WHERE statement it will not help at all with the injection. Of course it always depends on the context and if all you are sending into the sp is a numerical system ID number, then checking that it is indeed all numberical characters will prevent it from doing any bad stuff. But ultimately it is up to us to make sure that the injection doesn’t reach the back end:)

Best regards,

By: Doogie

Doogie — Mon, 11 Jan 2010 17:20:13 +0000

Hi boaz

We do not use an e-mail list, but we do use Twitter. A tweet goes out to followers with each new article.

By: boaz

boaz — Sun, 10 Jan 2010 22:43:10 +0000

Hi Doogie,
Stored procedures are indeed an advanced feature of database development. I look forward to reading your articles on them. Is there a way I could add myself to an emailing list of yours?

Thanks!

By: Doogie

Doogie — Sat, 09 Jan 2010 14:26:59 +0000

Hi boaz

Stored procedures can be a good idea and add another layer of security, but this article only covers SQL injection. Stored procedures work with MySQL 5.0 and newer versions of MySQL, so they are fairly new to MySQL users, but are commonly used with other, older database systems. Quite frankly, I have not seen any MySQL applications using them thus far. I know that some developers think that it adds more complexity to the code, and thus intentionally avoid using them unless it is absolutely required for security.

I’ve added MySQL Stored Procedures to a series of upcoming security articles. Thanks for the tip.

By: boaz

boaz — Wed, 06 Jan 2010 07:30:54 +0000

why not use stored procedures in addition to escaping characters? that way your scripts are safe, and you have full control over what the script does.

By: Paul

Paul — Mon, 28 Sep 2009 20:58:26 +0000

hey thanks for the great source code, I’ve been developing web for about a 3/2 years now and until recently I never took any heave to the security issue. It’s only recent that I started learning and your article really lightened me up on some parts. Thanks again

By: Doogie

Doogie — Wed, 13 May 2009 01:25:50 +0000

Hi demon

They can be useful for validating user input using PHP, but they do not have anything to do with SQL injection.

There is also ctype_alpha(), which validates a string for alphabetic characters only.

I think we need to do an article explaining how to use these functions. Thanks for the info. The code monkeys reading this will find it to be useful.

By: demon

demon — Tue, 12 May 2009 15:11:11 +0000

Nice info. How do you think about using ctype_alnum() to prevent anything but alphanumeric from being submitted, and ctype_digit() to allow numerical input only?