Most applications using PHP should be given parameters, by $_GET or $_POST , and these parameters often become an easy target for users with bad intentions, and this is called SQL Injection.
I would like to know how to prevent my application from being attacked via SQL Injection, how to proceed?
You should encode all the parameters passed to your application before concatenating to your SQL. All databases support somehow saving data in the database, even if it is a SQL, and for that the value must be properly encoded.
Useful methods for encoding strings:
mysql_real_escape_string - > after using this method and escaping the string, you can concatenate the SQL to be executed.
Or use methods that execute SQL, which take parameters
There are libraries that allow you to indicate a single SQL, with parameter markers in the middle of SQL, and these markers are replaced in order to avoid SQL injection.
Example:
$con = new mysqli("localhost", "u", "p", "test");
if (mysqli_connect_errno()) die(mysqli_connect_error());
$sql = "INSERT INTO articles (title, body, date) VALUES (?, ?, NOW())";
$stmt = $con->prepare($sql);
$ok = $stmt->bind_param("ss", $_POST[title], $_POST[body]);
if ($ok && $stmt->execute())
header('Location: index.php');
else
die('Error: '.$con->error);
I see several people, including here in the SOPT, making the mistake of leaving your application vulnerable to SQL Injection, of course for lack of information, however it is of utmost importance to say that it is essential today to prevent this kind of attack , as it is known by a lot of malicious people.
SQL Injection as it says in the name translated to "SQL Injection," is nothing more than an SQL script that runs on your bank by someone who does not have access to it, thus leaving your database totally vulnerable to anything that the malicious user wants to do.
"How / Why malicious users can do this?"
The problem is in some PHP applications that use parameters that are present in the URL or even the hidden parameters that you pass in the header of your URL, to fill data in a SQL script.
You have an application that needs a ID to make a SELECT , so that's fine, but let's say you have several links that send the ID parameter different:
<a href=produtos.php?id=1>Produto 1</a>
<a href=produtos.php?id=2>Produto 2</a>
<a href=produtos.php?id=3>Produto 3</a>
<a href=produtos.php?id=4>Produto 4</a>
And in products.php you directly redeem the value and play in SELECT ( what should not be done ):
$id = $_GET['id']; //aqui ele vai pegar qualquer coisa que você passar como valor do id
$sql = "SELECT * FROM TABELA WHERE ID=".$id; //aqui ele vai inserir o valor do id
You noticed the risk in security ?? who you want, you can simply deduction know that you are doing this (which is a very basic thing) and execute more commands in your script as a DELETE for example and wipe out your bank.
Well, there are several methods to do, it depends on each programmer, however I like to always manipulate the variable before, check the correct type, and sometimes limit its size, to ensure that it is not a malicious script but my information, otherwise, do not run the sql, for example:
$id = $_GET['id'];
if (is_numeric($id)) //verifica se é um numero retorna true do contrario retorna false
$sql = "SELECT * FROM TABELA WHERE ID=".$id;
In this way for example, I would only run sql if $id was a number, thus preventing any attempt to inject a script.
But there are other ways other ways to perform type checks, the only purpose is to: Limit the parameters you use to SQL scripts to the maximum, or do not use parameters.