PHP Programs to Prevent MySQL Injection or HTML Form Abuse (
Page 1 of 4 )
It has been known for a while that if a form is unsecured, malicious code in the form of a MySQL injection will be initiated to attack the site. HTML forms such as drop down menus, search boxes and check boxes are all susceptible entry points for this type of abuse. This article will explain what happens in this kind of attack, and how to prevent it.Known Security Issues and Background
The intent of MySQL injection is to take over the website database and administration to steal information. A common open source database like MySQL has been used by many website developers to store important information such as passwords, credit cards, usernames, personal information and administrative information.
This is a serious form of hacking that affects a lot of websites nowadays. You can easily spot it in Google search results with a warning sign: “This site may harm your computer” or when you are visiting the site “Malware detected” in browsers such as Google Chrome or Mozilla Firefox.
MySQL is popular because it is used in conjunction with PHP, the most popular server side scripting language. We also know that PHP is the primary language of Linux-Apache based servers that dominate the Internet. So this means that PHP can be easily exploited by hackers just as spyware is in Windows.
The hacking starts with inputting malicious code into an unsecured website form (via drop menu forms, search boxes, contact forms, inquiry forms and check boxes). Other advanced forms can be injected via session–related URLs, but this topic is beyond the scope of this article. (For details of this process, please refer to the flowchart on the next page).
The malicious code will then be transported to the MySQL database and hence “injected.” To see how this works, first consider the following basic and normal MySQL SELECT statement query:
SELECT * FROM xmen WHERE username = 'wolverine'
This query will ask the database with the "xmen" table to return a certain piece of data in the MySQL for the username "wolverine."
In the web forms, a user will enter
wolverine
, and then this data will be passed to the MySQL query, resulting in the above statement.
If the input is not validated, a hacker can craft the input in such a way as to gain control of the database, for example setting the username to:
' OR ''=''
You may think having the normal PHP and MySQL syntax to process inputs is safe because every time they may enter malicious codes they will get an “Invalid query” message, but it is not.
In reality there are a lot of smart hackers, and they can easily work on this. Once there is a security breach, correcting this will become difficult. It involves cleaning the database and revamping the administrative access.
