I've found quite a few questions on StackOverflow about programs or web forms that save information to a database (especially PHP and MySQL) that contain serious security issues mainly related to SQL injection .
I usually leave a comment and/or a link to an external reference, but a comment doesn't leave much room and it would be nice if there was an internal SOes reference on the subject so I decided to write this question/answer: What is SQL injection and how to avoid it?
What is SQL injection?
SQL injection is a type of computer attack that consists of the infiltration of intrusive code within the statements/queries to be executed in the database. This infiltration usually occurs through parameters passed by users to a program or through a web form.
The target of the intrusion is usually malicious and can cause significant damage: data disclosure, content modification, identity theft, deletion and destruction of data or structures within the database...
Many programmers assume that users will always enter valid data and that queries will therefore be reliable, and they do not take special measures when putting together statements that they execute in the database. That makes your applications vulnerable to these kinds of attacks.
To find more information in Spanish about SQL injection read the Wikipedia article (with examples of resolution in different languages), the official PHP documentation or the OWASP website .
How can I prevent SQL injection?
To avoid SQL injection, just follow a simple series of guidelines:
Always DISTRUST user input . Pre-process, sanitize, or test them, but never use them directly. You should always assume that the user is going to try to attack your database; We like to think that all users are good people, but a single malicious user is enough to destroy everything.
AVOID dynamic SQL . They are the most common error when executing statements to the database and are what malicious users take advantage of to attack your code. The solution is easy: don't concatenate the SQL query with the user input, and instead
DO use prepared statements (also called parameterized). They offer a more efficient and less error-prone strategy. In addition, all major modern database systems support prepared statements with bound variables.
LIMIT access to the database . Do not use superusers (root) but users with custom/limited access to the database (although this is not always within the reach of all developers).
MODERNIZE your code . Keep your code up to date in terms of security, do not use obsolete or non-recommended methods. There are reasons why they are obsolete.
For example, a frequently seen upgrade-related bug on StackOverflow is the particular case of PHP and functions
mysql_*
, which should be avoided and use MySQLi(mysqli_*
) or PDO instead. For more information on that topic, read the question How to prevent SQL injection in PHP?Try to always use parameters in the query, never concatenate the variables directly on the query, example:
The option that avoids that is with parameters and depending on the language you assign the variable:
I hope this information helps you.
If you use php, a good way to prevent SQLinjection is by using the native php function preg_match, you get an array with reserved sql words and some others, remember that sql injection is not the only attack that a web system can receive , or a page, whatever you want to call it, and with this all data sent by the user is matched, nobody enters a name or address or whatever, words like select or union, which concatenates more than one select
and also catch rare characters like / ' % &, etc so they couldn't even accidentally harm your system or data. Here is the preg match api http://php.net/manual/es/function.preg-match.php lucky. Cheers