[TUT][PHP] Basic Protection from SQL Injection

SQL Injection is injecting SQL Through a Get or Post from a script into

the SQL. for Example

Code:

member.php?id=6

The code for SQL may be

PHP:

$id = $_GET['id']
$row= mysql_query('select * from `members` where id=$id');

This would allow the Attacker to Execute a Union Select statement.This

would look like

Code:

member.php?id=’ UNION SELECT concat(username,char(58),password) FROM members

A possible output would be

Affix:d8b9bb5e644429268d274cf03c6d6e06

All you would need to do is crack the hash

So how exactly do you stop this attack?

Its simple. There are many methods of protecting from SQL injection. I

use 2. These are the ones Im going to teach you.

If its a simple numerical ID such as the example above Just add a Value

Check. In the above code it would look like below.

PHP:

$id = $_GET['id'];
if(!isnumeric($id)) { die("GTFO MY SERVER NOOB"); }
$row= mysql_query('select * from `members` where id=$id');

Now if I tried to execute my Union Statement I would get an error

GTFO MY SERVER NOOB

Now what if you are using a string such as a search. a Union would be

used the same way.

This way I would use the ‘mysql_real_escape_string’

This would look like

PHP:

$id = mysql_real_escape_string($_GET['id']);

This string it now Properly escaped and will not allow Succesful

Execution of SQL Injection. Your code will look like the following.

Learn more on SQL Injection : http://static.ihack.co.uk/affix/SQL_Injection_Handbook.pdf

 

ive just started using mysql real escape string.

i didnt use it before because its a pain to type out.

trim, addslashes, htmlentities can also help. no html injection or whitespaces at the end if your parsing (idk why you would but its possible)

addslashes i think you would need to escape ' or " before anyway.

 

stripslashes();
htmlentities();

Could help also. Makings sure that only alphanumerical characters are entered helps too .