SQL injection, insertion – Security Tips

  • Category : Website Security
  • Posted on : Apr 12, 2011
  • Views : 1,691
  • By : Icarus M.
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literalescape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.
 
SQL injection is an attack where malicious code is passed to an SQL Server for execution. The attack can result in unauthorized access to confidential data, or destruction of critical data.

 
Before you try to read the methods below, realize that this should only be a concern for PHP developers and the like. If you are using a database driven program (e.g. WordPress, Joomla, OSCommerce), then all you need to do is upgrade your programs to the latest version available.
  
 

METHODS TO PREVENT SQL INJECTION

   
Escaping
One way to prevent injections is to escape dangerous characters (i.e. backslash, apostrophe and semicolon). In PHP, it is typical to escape the input using the function mysql_real_escape_string before sending the SQL query. Example:
 
 
$Uname = mysql_real_escape_string($Uname);
$Pword = mysql_real_escape_string($Pword);
$query = "SELECT * FROM Users where UserName='$Uname' and Password='$Pword'";
mysql_query($query); 
 
   
Parameterized statements
A parametrized query uses placeholders for the input, and the parameter values are supplied at execution time.
 
 
$params = array($Uname, $Pword);
$sql = 'INSERT INTO Users (UserName, Password) VALUES (?, ?)';
$query = sqlsrv_query($connection, $sql, $params); 
 
 
    
Advanced: In PHP version 5 and above, there are multiple choices for using parameterized statements; the PDO database layer is one of them. There are also vendor-specific methods; for example, MySQL 4.1 + used with the mysqli extension.

Subscribe Now

10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!

Archive Calendar

Sat Sun Mon Tue Wed Thu Fri
 1
2345678
9101112131415
16171819202122
23242526272829
30  

Over 20000 Satisfied Customers!

From 24/7 support that acts as your extended team to incredibly fast website performance

Zelt staff were fantastic, I had a concern with a domain and they got back to me very quickly and they helped me to resolve the issue!

author
Technician, Diageo PLC

I'm using Zelt for my portfolio since 2006. The transition was seamless, the support was immediate, and everything works perfectly.

author
Photographer, Allister Freeman

Very easy to understand & use even though I am not very technologically minded. No complications whatsoever & I wouldn't hesitate to recommend it to all.

author
Actor, A&J Artists

Zelt support team have been amazingly responsive and helpful to any of my queries, thank you so much to the Zelt have been amazingly responsive and helpful to any of my queries 👍👍👍

author
Technician, Diageo PLC

Anytime I've had a problem I can't solve, I've found Zelt to be diligent and persistent. They simply won't let an issue go until the client is happy.

author
Doctor, SmartClinics

Zelt support team have been amazingly responsive and helpful to any of my queries, thank you so much to the Zelt have been amazingly responsive and helpful to any of my queries 👍👍👍

author
Freelancer, Fiverr

24/7 World-Class Support

Ran into trouble? Contact our Customer Success team any time via live chat or email.

  • Receive professional WordPress support
  • Our specialists are available round
Get Support