Many hacker try to temper sql queries which you are using while collecting data from your forms. If you are not formatting the data coming from public forms. Your own scripts may cause dangerous results including open access to your database and server access.
Lets take a common example of user input for login forms.
While you are validating user to login; you commonly use following steps.
$user = $_POST["user_fld"];
$pass = $_POST["password_fld"];
SELECT * FROM tablename WHERE username = '$user' AND password = '$pass';
Now if you are not formatting your input, user may temper you above sql query by providing admin'; // or admin'; -- in username field. When processing by the server, your query will look like
SELECT * FROM tablename WHERE username = 'admin'; //' AND password = '$pass';
In above case password checking is excluded from WHERE clause by commenting remaining part of the query. Now you know what this query means. It will allow user to login without providing a valid associated password.
This is the single example of sql injection, many others are available; if hacker is smart enough he or she may harm you valuable data.
So, what will be the solution? You may get rid of this serious problem if you format your incoming data by using PHP built-in functions or other user-defined functions.
I have developed a function written in PHP to override SQL Injection problem. You can download your copy from my github (https://github.com/adnnor/cleanX) repository.
0 comments:
Post a Comment
comment or ask