How to Prevent from sql injection in php

In the previous  article, we have discussed about What is SQL Injection. Now here we will discuss, How to prevent from SQL Injection in php?

 

Why an SQL Injection Occurs?

 

SQL injection risks occurs every time when a programmer creates a dynamic database query, which contains user input. This means that the ways to prevent an SQL injection are two:

 

    • Don’t write dynamic database queries

 

    • Don’t allow user input in your queries.

 

You should validate all input to your applications for type, length, format, and range. By constraining the input used in your data access queries, you can protect your application from SQL injection. With some coding techniques applicable in any programming language, SQL injections can be prevented. Use regular expressions to reject any characters that are not on the list.

 

To protect your application from SQL injection, perform the following steps:

 

Primary Defenses:

 

    • Step #1: Use of Prepared Statements (Parameterized Queries)

 

Language specific recommendations:

 

    1. Java EE – use PreparedStatement() with bind variables

 

    1. .NET – use parameterized queries like SqlCommand() or OleDbCommand() with bind variables

 

    1. PHP – use PDO with strongly typed parameterized queries (using bindParam())

 

    1. Hibernate – use createQuery() with bind variables (called named parameters in Hibernate)

 

    1. SQLite – use sqlite3_prepare() to create a statement object

 

    • Step #2: Use of Stored Procedures

 

    • Step #3: Escaping all User Supplied Input

 

Additional Defenses:

 

    • Also Enforce: Least Privilege

 

    • Also Perform: White List Input Validation

 

There are the three types of SQL Injection Attack :-

 

    1. First Order Attack – The attacker can simply enter a malicious string and cause the modified code to be executed immediately.

 

    1. Second Order Attack – The attacker injects into persistent storage (such as a table row) which is deemed as a trusted source. An attack is subsequently executed by another activity.

 

    1. Lateral Injection – The attacker can manipulate the implicit functionTo_Char() by changing the values of the environment variables, NLS_Date_Format or NLS_Numeric_Characters.

 

Don’t use string (like http://www.target.com/index.asp?id=123) because a Havij or SQL Fever tool will easily hack it like below image-

 

Havij Pro 1.17 Version Full Download

 

Just use 10 steps that can protect your website from SQL injection :-

 

1. Use dynamic SQL if and only if there is no other alternative

 

 2. Escape user input always

 

 3. Always assume magic quotes is off

 

 4. Install security updates and patches regularly

 

 5. Remove all the dead SQL’s or other codes that you don’t use

 

 6. Never display the system defined error message for SQL errors

 

 7. Store database credentials in a separate file

 

 8. Use the principle of least privilege

 

 9. Disable shells

 

 10. Use SQL injection Hack tools to check vulnerabilities

Lokesh

One Comments

  • Free Birthday Stuff January 28, 2020 at 3:01 am Reply

    Very great post. I just stumbled upon your blog and wished to say that I’ve truly loved browsing your weblog posts. In any case I抣l be subscribing on your feed and I hope you write once more soon!

Leave a Reply