CodeClerks

SQL Injection Basics: How to prevent your website from being hacked



Enter a reason for deleting this comment

SQL Injection Basics: How to prevent your website from being hacked

Say you hired a programmer that really didn't know what he or she was doing, but could code just enough to get by as a "programmer". Say he or she didn't understand that you need to secure variables, and left them unsecured. Do you know what happens next? Yes, you probably guessed, your website could be hacked and most likely will be!

Hackers love to find exploits in code, and will abuse those exploits to gain access to the website. They find it to be fun to be able to get into the website. They love the challenge and won't stop until they get in. If you don't secure your variables they will ultimately get into your website!

How to secure your variables? Well this topic is generally too big for only one discussion however I'll try to provide as much information as possible. You need to escape your $_POST, $_GET, $_SESSION and all other variables you are using.

Escaping
This is easily done by the mysqli_real_escape_string (do not use mysql extension, it's deprecated as of PHP 5.5.0)

Special Characters
If you allow for special characters to be inputted, and then displayed you must look into the htmlspecialchars function.

Additional security can include:

  • Disallowing special characters such as >, <, '
  • If an input is an integer making sure to use the int function, is_numeric function, or preg_replace function to strip all other characters except for integers
  • Not exposing the database details (columns/rows), prevent error messages from appearing on the front end
  • Stripping all characters except letters with preg_replace function (the preg_replace function can do a lot of things)
  • Stripping tags with the strip_tags function
  • Using PDO and prepared statements

There's much more to securing your PHP website other than what is listed here, this is just the basics. There are many ways and methods, choose what works best for you and always stay up to date with any exploits that are found.

Comments

Please login or sign up to leave a comment

Join
Drake83

Good tips! If you have the money, it is also a good idea to get a security company to scan your site for vulnerabilities. If you need to be PCI compliant, many PCI scans will do this an attempt SQL injection at most (if not all) of your form inputs.

Just remember, user submitted data is tainted!



Enter a reason for deleting this comment