INTRODUCTION
Here we continue our protection course with the part 2 where we will discuss sql injection attacks.As i already said in the first part for every attack type i will first explain why is it happening and how so you can understand better the risk and why is protecting from them so important.Now first let me explain what sql injection is.Sql injection is type of attack where someone „inject“ their own commands on the vulnerable parameters in order to take out data from your database or from the server.For example he is able to take out the users table and use your own login for administrator panel so he can do whatever he want on your
website and more things which will not be mentioned here since i don't want to give ideas to anyone instead i will go and explain u how and why some websites are vulnerable to that attack.
HOW AND WHY ?
Mostly this attack exist because programmers that are making websites and applications don't know much about security,they forget or they just don't want to test their code before they release it.As you already guessed sql injection vulnerability can exist anywhere where there is something asked or passed to the database,Url parameters, login boxes,search boxes and more where something is taken out from database or passed to it.For example lets take imaginary part of the url like news.php?id=1.If we add the ' mark after the 1 like news.php?id=1' we will get mysql error „You have an error in your SQL syntax; SELECT * FROM news WHERE news_id = '1'' “.Now what this is telling us is that the (') that we added is actually passed to the database along with other info that is there.That tells us that we can add commands there instead of the (') in order to take something from the database.Now maybe this looks not important for you but think about this one of the often used commands in sql is LOAD_FILE() and INTO OUTFILE/DUMPFILE and they can be used to read or write any file from server.So someone can easily read your configuration file and download whole database on his local pc, or use INTO OUTFILE/DUMPFILE to write web shell and compromise your server.Now u see why sql injection is one of the most used and most common attack of today.Well that is one reason,the other one is that 90% of the pages are vulnerable to it since there is more and more unexperienced programmers every day.
PROTECTION
The first thing u can do is add something like this to your code : „if(!is_numeric($id)) { die("Nope not vulnerable "); }“.Now those of u who are familiar with php will notice this is a simple if() function.Which can be used especially for the vulnerabilities that occur on the URL parameters on the numeric values.As u can see from this code if there is anything attached on the url except numeric value that is supposed to be there, the query will terminate without trowing any error so nothing will be echoed for the attacker to see and if variable is numeric everything continue like code u added is not even there .As for other fixes let me first mention error reporting which is not some big bug but it helps attackers to get some informations so we should turn it of by adding „error_reporting(0);“at the top of your script.As for reading and writing files on the server just make sure that user that you are using for interaction between sql and php script doesn't have file permissions as in 90% of the cases he doesn't need them at all.U can do it on couple of ways and here is the most simple „REVOKE FILE ON *.* FROM 'user_name'@'host_name';“
That is it about sql injection protection for now.Some additional instructions and tips can be found in the other tutorial here „different sql injection tutorial“
Share this
Twitter
Myspace
Mister Wong
Digg
Del.icio.us
Reddit
StumbleUpon
Slashdot
Furl
Yahoo
Blogmarks
Technorati
Newsvine
Blinkbits
Googlize this
Blinklist
Facebook
Wikio
Hear this text
