SQL Injection Attacks

SitePoint Tech Times includes some good things this week on SQL Injection Attacks. Mitchell Harper writes an article summarizing the gist of what an injection attack is and Harry Fuecks provides coding details through a chapter from his excellent PHP Anthology books. Harry also wrote a SitePoint blog entry going into more specific detail about how and why you want to avoid this problem.

To experienced Web developers, it's a cardinal sin: passing user input into a database query without first processing it to escaped special characters is bad! But as a beginner-friendly language, PHP is host to this mistake more often than most.

The danger is easy to explain. Your site's security relies on a database query that includes one or more values taken from user input (e.g. login credentials). But, because you neglected to encode special characters in those values, an attacker is able to bypass your site's security by entering carefully-chosen values that alter the meaning of the query.

PHP's magic quotes feature is designed to save inexperienced coders from themselves. Values in the $_GET, $_POST, $_COOKIE, and $_REQUEST arrays have backslashes added to them so that they are safe for use in database queries. But magic quotes isn't enabled on all servers, and not all user input comes through the $_GET, $_POST, $_COOKIE, and $_REQUEST arrays, which magic quotes protects.

Posted by Tom on July 08, 2004