HomePHP Page 2 - PHP Programs to Prevent MySQL Injection or HTML Form Abuse
The Flow of User Input (Without Validation) - PHP
It has been known for a while that if a form is unsecured, malicious code in the form of a MySQL injection will be initiated to attack the site. HTML forms such as drop down menus, search boxes and check boxes are all susceptible entry points for this type of abuse. This article will explain what happens in this kind of attack, and how to prevent it.
If you are a beginner in MySQL and PHP, it would be useful to illustrate the flow of user information. Please check the screen shot of what will happen if the user input is not validated:
You can observe that even after the database or malware clean up, as long as the website form input is not validated, we will see re-infection of the website. Two common misconceptions of MySQL injection attacks are as follows:
The webmaster thinks that malware injection can be cleaned up using anti-virus or anti-spyware software. It cannot be cleaned up in this way because this type of infection exploits the weaknesses of MySQL databases. It cannot simply be removed by any spyware or anti-virus program.
MySQL injection is a virus infection as a result of having copied infected files from another server or outside sources. It is not. This type of infection is a result of having someone type malicious codes into any unprotected forms in the website, and then gaining access to the database. Virus infection as a result of a MySQL injection can be cleaned by removing the malicious scripts and not by using anti-virus programs.
Flow of User Input (With Validation)
It is highly important to back up a clean database and put it outside the server. It is very easy to export a set of MySQL tables and save it to your desktop, for example. Double check to make sure the database contains the exact and clean entries that you expect.
Then go to your server and temporarily shut the forms input first. This means the form cannot accept data to be processed; this will also mean that your website will be shut down, too.
Then start the clean up process. First, on your server, clean up any mess left by the MySQL injection. Change all database, FTP and website passwords.
In the worst-case scenario, if you clean up late, you can double check for any backdoor programs running on your server. These backdoor programs are some form of Trojan installed by the hacker. Remove it completely and change all the FTP permissions to something for which hackers cannot simply write a file to any directory. Scan your server for Trojans and installed malware. In a truly worst- case scenario, they may be hidden.
This is when you modify the PHP script that will process the form data. A good principle to prevent MySQL injection is: DO NOT EVER TRUST USER DATA. Remember, the Internet is a public place, and forms are exposed to all types of people, good or bad. Your form is analogous to the doors of your home, which you should be locking when you are away to prevent criminals from entering.
User input validation is very important to prevent MySQL injection and to make sure that all inputs that go to the database are sanitized and will not cause database errors or infection.
Below is what happens to a validated user input:
In the above example the data will not be forwarded to the MySQL database without first verifying that the user input is valid. Designing a filter to screen out user input depends on your application, but I will outline helpful tips below:
If the input to a form is numeric, then you can validate if it is a number by just testing if it is equal or greater than 0.001 (assuming you do not accept a zero).
If the input is an email address, then it will validate if the characters are only a combination of allowable characters like “@”, A-Z, a-z or some numbers. A quotation mark is not acceptable in an email address.
If the input is the name of a person or a username, then it will validate if it does not contain any illegal characters such as ‘ ‘ and * which are malicious characters that can be used for SQL injection.