pK Categories

pK Archives

Preventing SQL Injections In Secure PHP Programming

SQL Injection is a technique used by hackers to attack websites that accept GET or POST data. This is typically submitted to the server from web forms, but can be submitted directly to the web server using other methods besides a browser. The results of successful SQL Injection (and Code Injection) include accessing/modifying the MySQL Database, accessing/modifying the file system, viewing and stealing scripts, passwords, and other private information, and some others. Whatever the case may be, you do not want an attacker to successfully submit an SQL Injection against your website and there are steps you can take to prevent this security vulnerability from being exploited.

1. Perform strict input validation on any data submitted by a user or hacker. By default, follow the standard of denying over accepting. The submitted data must prove to be valid else it should be rejected. Methods include regular expression matching, character filtration, and preventing encoding attacks, etc.

2. Replace direct SQL Statements with stored procedures, prepared statements, or ADO Command Objects.

3. Implement default error handling to include error messages for all errors. Do not rely on the server for error handling. Your custom error messages and error redirection handling will indicate to hackers and attackers that you have put some thought into preventing their attacks. Default messages and handling often indicates to attackers that you overlooked potential security vulnerabilities and therefore become a bigger target for being hacked.

4. Lock down ODBC (Open Database Connectivity) to only what you need for your applications to communicate with your MySQL Database, or other database. Disable database messaging to users else they may learn more about your MySQL Database than you would want. Do not allow regular SQL Statement to pass through your system, especially those generated by users. Always form your SQL Statements internally and outside the influence of users. Submitted data may be included in your SQL Statements, but only if strict filtration for cleansing and validation have been applied first.

5. Secure and lock your MySQL Database Server Configurations. By specifying the users and roles those users may play when interacting with your MySQL Database, you can limit access by one user to another database or to other database tables. Administrative roles have a different amount of MySQL Database access than regular site members, which also different from regular users browsing the site.

6. Do not let your web server operate as the root or administrative user. Restrict permissions for your web server to roles like WWW or similar.

Remember, hackers are constantly profiling systems to hone their attacks. Reveal the least amount of information and limit access as much as necessary, while allowing your web application to perform necessary functions. Limit error messaging both in your scripts and in the server’s default mechanisms to provide helpful feedback, but not create security issues. There are many ways a server reveals profile information such as the sever type and version, the flavor of PHP, and directory/pathway structures in error messages. These combine into nice profiling guides for hackers. The more you limit this type of information, the less likely a hacker will speedily attack your applications.

Look for regular expression matching, regular expression replacements, string matching and replacements, htmlspecialchars, stripslashes and addslashes, and many more great techniques for filtering, cleansing and validating the data submitted by your users, or by your hackers.

If you are unsure whether your website is safe and secure, contact The PHP Kemist 801.253.2564 for Web and Database Security Programming, and for PHP Security Code Reviews, or contact Emagined Security for a fully qualified Security Consultation and for Extensive Security Evaluations, Security Scans and Security Reviews.

Leave a Reply