Subtract
Subtract

Preventing SQL Injection in PHP

Preventing SQL Injection in PHP

Do you remember this great xkcd comic ?

Credits: XKCD

Let’s break this down and see the problem. Consider the following form of a MySQL query in PHP :

mysql_query("INSERT INTO Students VALUES ('" + FNMName.Text + "', " + LName.Text + ")";

Substituting the above value of name for FNMName.Text and an imaginary surname for LName.Text results in not one, but two queries :

INSERT INTO Students VALUES ('Robert'); DROP TABLE Students;--', 'FooBar')

And there goes the table. This technique of attacking data-driven applications by injection malicious SQL code is known as SQL Injection. Well-written applications that employ proper checks can easily defend themselves against this method. Here are some ways in which apps written in PHP can check SQL Injection.

Prepared Statements and Parameterized Queries

Let’s discuss this method using the two common interfaces that PHP provides for database connections : PDO and MySQLi.

PDO
$stmt = $pdo->prepare('SELECT * FROM Students WHERE name = :name'); $stmt->execute(array('name' => $name));

foreach ($stmt as $row) {
// do something with $row

}

$stmt = $databaseCnn->prepare('SELECT * FROM Students WHERE name = ?'); $stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();

while ($row = $result->fetch_assoc()) {

// do something with $row

}

While using PDO, the database connection must be set up correctly so that PDO knows that real parameterized queries have to be used, and not emulated ones. Something like this:

$databaseCnn = new PDO('mysql:dbname=test;host=127.0.0.1;charset=utf8', 'uname', 'passwd');

$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

What happens with prepared statements is that the database server parses and compiles them before executing. The `?` and the `:name` parameters tell the server where the query should be filtered.

When the query is executed, the server combines the query with the search params. The method prevents Injection attacks by treating the query separately (as a query and not as a string) from the params which are treated like strings (or numbers, for optimization purposes).

Hence, passing a name above like `”Robert’); DROP TABLE Students;–“` will just result in one query instead of two which searches for a student with a rather weird name.

MySQLi (for MySQL)

SELECT * FROM Students WHERE name = “Robert’); DROP TABLE Students;–“;

An additional benefit of using parameterized queries is that when executing multiple queries of the same kind, minor speed gains can be attained because the server compiles and parses the query once only.

Escaping Literals

Escaping the special characters in user-entered parameters is another technique to prevent Injection attacks. In comparison to prepared statements, this method requires much fewer changes.

// setup connection

$unsafe_variable = $_POST["user-input"];
$safe_variable = mysql_real_escape_string($unsafe_variable);

mysql_query("Select * FROM Students (name) VALUES ('" . $safe_variable . "')");

The `mysql_real_escape_string` function call its MySQL equivalent function `mysql_real_escape_string` which prepends backslashes to certain special characters.

Note : `mysql_real_esape_string` is deprecated. Please refer the PHP documentation page for alternatives.

Possible attack

Consider :

$query = "SELECT * FROM Students WHERE id = " . $safe_variable; // safe variable as defined above

Since the value expected for id is an integer, it is not surrounded by quotes. But, Injection here is still possible because a parameter of the following kind will pass through the escape check :

`UNION SELECT password FROM users`

In such cases, it’ll be essential to conduct checks validating that the param contains only digits.

Whitelisting

Whitelisting deals with dynamic queries, i.e., queries whose structure changes with user input. Consider the following example in which the user generates a dynamic query by deciding how the results should be ordered :

$orders = array("name","price","qty"); //field names
$key = array_search($_GET['sort'],$orders)); // see if we have such a name; $orderby = $orders[$key]; // FALSE evals to 0
$query = "SELECT * FROM `table` ORDER BY $orderby";

The above two methods can also be used to protect identifiers. They can be escaped to prevent attacks or placeholders can be devised for identifiers in the same manner as placeholders were put in place for column values. We might call these identifier placeholders.

Hacks based on Input Types

Integer Input

This basically implies that the programmer makes sure that the user-entered input really is an integer. Here’s a neat way to do it :

$query = sprintf("SELECT 1,2,3 FROM table WHERE 4 = %u", $input); Other than Integer

Just hex the parameter to escape it. The relevant PHP function here is bin2hex() . However, all such params have to be prepended with 0x or the MySQL function UNHEX be used.

`SELECT * FROM Students WHERE name = ‘Robert’`

becomes

`SELECT * FROM Students WHERE name = 0x526f62657274 — UNHEX(‘526f62657274’)`

While UNHEX is robust and works like magic, 0x only works on certain data types and gives an error if an empty string is passed to it.

Last, but not the least, make sure before proceeding with any method that the user input hasn’t been mutated with `magic_quotes` or similar methods. The input will need to be sanitized using `stripslashes` etc.

Popular Tags

Optimization
Code
Code
Optimization
Startup
Religion

Related Posts

See more

Jobs almost killed the iPhone

The iPod accounted for more than half of Apple’s sales back in the day. It was the cornerstone product Steve Jobs could not allow to fail. However, it became increasingly evident that a music player alone was insufficient, with a phone incorporated it would be much more practical. The solution was plain; Apple had to produce its own future phone in order to stay competitive.

In addition to the iPod, the era of iPod-based Apple was also coming to an end. Engineering personnel within Apple had been proposing this concept since the early 2000s. Despite this, Steve demonstrated conviction. Apple would not create a cellular gadget in the near future. For one, he appeared to have a distaste for corporations. In 1984, when introducing the first-ever Macintosh, Steve presented Apple as a “rebel force” which provided optimism against the “evil empire,” IBM.

Apple grew into a large corporation itself – but not surprisingly it remained in Steve’s view as the “world’s largest startup.” Creating a smartphone necessitated interacting with phone carriers such as Verizon, also known as the malevolent titans of industry.

Jobs, in particular, predicted that smartphones would evolve not as a must-have status symbol, but rather as a glorified Swiss army knife that appealed to a geekier, “pocket protector” crowd, as he called it.

It took herculean efforts of his engineers like Sakoman and others to convince Jobs to build the phone. this was their first iPhone .

The rest they say is history – unlike what most people think it was this iconic move that made apple a trillion dollar company.

If you don’t find ways to kill your product  the market most certainly will

  • 2 mins read

GuerrillaFoo

Guerrilla marketing is always something I’ve been a fan of.  The gist of it is that it’s a  strategy that utilizes unconventional and creative tactics to promote a product or service, typically on a low budget. This type of marketing is highly targeted and aims to create buzz and generate attention. I’ll share a story here that caught my attention during startup school.

Legend has it that there was this big fintech conference happening in the valley and to have your logo featured on the stage and in other places – you needed to pay for a sponsorship that cost hundreds of thousands of dollars. Stripe was a young startup back then and it was taking on PayPal – the Goliath. What the team at Stripe did was take some bank notes, put them in a bucket and froze them overnight. On the day of the conference they turned up to the venue – put the money (now inside ice cubes) near the entrance and held a placard saying – “Paypal freezes your money – Try Stripe !”. This got the attention of EVERY single person at the conference. Stripe also did something clever – they paid the bellhops at the hotels and had them slip a brochure of their product into every room which had conference attendees. This would have cost a bomb to do otherwise – sponsoring the event and include this brochure as part of the SWAG kit. One thing was clear, at the end of this event, every single person knew about Stripe, was discussing their antics and several of them tried Stripe over the coming days.

The next story is somewhat different. On average a successful startup returns about 676% over the course of its lifetime – Wufoo returned around 30,000% ! Yes you red that right if you had invested $10k during their initial fundraise, you would have made around $30M when they were sold to SurveyMonkey a few years later. Such outliers naturally grab my attention and I was looking at some of the things they did right.

I’ll share a story of when they used a form of  Guerrilla marketing to get outsized returns. Most companies in the 2000s used to run hackathons when they came out with a new API and used to give out iPads or iPhones as prizes – this was the norm and was getting kind of boring. Wufoo wanted to try something different, the founding team and early employees were medieval nuts. They contacted a forge and got an actual battle axe built which would be the prize. Talk about weaponizing programming !!

At the end of this hackathon Wufoo got an Android app, an iPhone app and a WordPress plugin for their platform. This would be otherwise impossible to build for the small team with the money and resources they had. Lots of developers continued to remember and discuss this cool hackathon in the coming days and the traction in dev community was unbelievable.

  • 3 mins read

Instaform ?

Ship fast and improve faster based on what customers tell you – this has always been our mantra. The faster we can start getting feedback from customers – the faster we can iterate and improve our offering. This feedback loop is oxygen for startups like us,  it helps us validate our ideas, identify problems early on, and adjust our approach accordingly. A couple of extreme examples of this approach caught my eye recently.

Brex calls themselves the OS of scaling startups and have a great banking experience today – I have tried a few similar services myself and can say their product is among the best. The story is when they started off they just had a web form and a virtual credit card they could generate with an internal tool. With that they started on boarding customers. Imagine running a bank like this – no login, no way to see spends, no way to manage accounts or any of the things we take for granted. EVERY SINGLE one of these features was built in once the product was live and was based on customer feedback and needs. Pretty amazing and takes a lots of guts to do.

The next story is from Instacart – a grocery delivery and pick-up app. This product was launched with just a form on the site. Users literally filled up a form with their grocery list and the founder or her friends drove around, picked up the stuff and delivered. That’s it – simple and scary. Many founders I know will first try and raise a few million dollars, build sophisticated warehousing, inventory management and mobile apps before earning that 1st dollar in revenue.

  • 2 mins read
Subtract

Menu

Subscribe

Sign up for articles on how you can put AI to work for you

©2023 All rights reserved
Scroll to Top