SQL injections

  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

Ok, I know this is dodgey ground for this forum, but the only reason I am interested in SQL injections is for security and hardening database apps. I just read this article:

http://www.sitepoint.com/article/sql-in ... acks-safe/

which is pretty good, and explains a good deal about the main types of injection technique, and some methods of preventing them. It is specifically geared towards ASP though. I tried googling for some PHP tutorials but came up with nothing much other than stuff to do with postnuke etc.

Does anyone know a good tutorial for preventing SQL injections in PHP/MySQL?

In addition, I didn't get what the the double hyphen ( -- ) at the end of the injection was all about?

Thanks guys
  • Carnix
  • Guru
  • Guru
  • User avatar
  • Posts: 1098

Post 3+ Months Ago

-- is a comment delimiter in SQL, keeps the last single-quote from causing ASP or the SQL parser from returning a syntax error.

For the most part, I'd guess that the hardening techniques presented in that article could be applied to PHP as well. I mean, really, both languages interact with HTML in similiar ways, though they have different built-in method to do it. Regardless, it's still POST or GET key/value pairs. If the key is passwd, you can manipulate the value.

The way I handle this in whatever language (I've done CF, PHP and ASP authentication schemes) is to never include a password argument in the WHERE clause. Ask the database about the username (which is, of course a unique index), then in your code, examine the passwords. If they put in some garbage for the username, the database will return an empty array (or recordset, or whatever it returns on your system). Also, remember, you're only looking for one record, after all, so there is no reason to loop through the returns.

Let me clarify what I mean by "Ask the database about the username" a little bit:

You might use, for example:
Code: [ Select ]
$sql = "SELECT uid,username,passwd FROM users WHERE username='carnix';";


if($db_password == $html_password){ return true; }
  1. $sql = "SELECT uid,username,passwd FROM users WHERE username='carnix';";
  2. ...
  3. if($db_password == $html_password){ return true; }

That's a very stipped down version, of course, but you get the picture, I think.

Post Information

  • Total Posts in this topic: 2 posts
  • Users browsing this forum: No registered users and 40 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum

© 1998-2017. Ozzu® is a registered trademark of Unmelted, LLC.