Home arrow PHP arrow PHP Programs to Prevent MySQL Injection or HTML Form Abuse

PHP Programs to Prevent MySQL Injection or HTML Form Abuse

It has been known for a while that if a form is unsecured, malicious code in the form of a MySQL injection will be initiated to attack the site. HTML forms such as drop down menus, search boxes and check boxes are all susceptible entry points for this type of abuse. This article will explain what happens in this kind of attack, and how to prevent it.

TABLE OF CONTENTS:
  1. PHP Programs to Prevent MySQL Injection or HTML Form Abuse
  2. The Flow of User Input (Without Validation)
  3. Validating Numeric Input
  4. Validating Text and Email Input
By: Codex-M
Poor Best
Rating: starstarstarstarstar / 21
January 07, 2009

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Known Security Issues and Background

The intent of MySQL injection is to take over the website database and administration to steal information. A common open source database like MySQL has been used by many website developers to store important information such as passwords, credit cards, usernames, personal information and administrative information.

This is a serious form of hacking that affects a lot of websites nowadays. You can easily spot it in Google search results with a warning sign: “This site may harm your computer” or when you are visiting the site “Malware detected” in browsers such as Google Chrome or Mozilla Firefox.

MySQL is popular because it is used in conjunction with PHP, the most popular server side scripting language. We also know that PHP is the primary language of Linux-Apache based servers that dominate the Internet. So this means that PHP can be easily exploited by hackers just as spyware is in Windows.

The hacking starts with inputting malicious code into an unsecured website form (via drop menu forms, search boxes, contact forms, inquiry forms and check boxes). Other advanced forms can be injected via session–related URLs, but this topic is beyond the scope of this article. (For details of this process, please refer to the flowchart on the next page).

The malicious code will then be transported to the MySQL database and hence “injected.” To see how this works, first consider the following basic and normal MySQL SELECT statement query:


SELECT * FROM xmen WHERE username = 'wolverine'


This query will ask the database with the "xmen" table to return a certain piece of data in the MySQL for the username "wolverine."

In the web forms, a user will enterwolverine , and then this data will be passed to the MySQL query, resulting in the above statement.

If the input is not validated, a hacker can craft the input in such a way as to gain control of the database, for example setting the username to:

' OR ''=''

You may think having the normal PHP and MySQL syntax to process inputs is safe because every time they may enter malicious codes they will get an “Invalid query” message, but it is not.

In reality there are a lot of smart hackers, and they can easily work on this. Once there is a security breach, correcting this will become difficult. It involves cleaning the database and revamping the administrative access.



 
 
>>> More PHP Articles          >>> More By Codex-M
 

blog comments powered by Disqus
   

PHP ARTICLES

- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...
Find More PHP Articles

Developer Shed Affiliates

 

© 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap

Dev Shed Tutorial Topics: