Protecting PHP Websites from SQL Injections


SQL injections are one of the most utilized web attacking mechanism used to  retrieving sensitive information. In this week we hope to discuss about SQL injections and how to secure your PHP website .
If a web developer isn’t careful, they might build their site in such a way that a malicious actor can cause unintended effects in its database.This is how SQL injections happen and it is the main reason for fall victim to SQL Injections.The hacker inputs, or injects, malicious SQL code on the website and fools it into  delivering that code to its database as a legitimate query.



During the phase of website development you should follow best practices to avoid SQL injections.There are several reasons for SQL Injections.

  •  Passing data to DB without sanitizing.
  •  Not using full Unicode encoding.
  •  Mixing of the code and data
  •  Incorrect Type handling
  •  Incorrectly filtered space characters
  •  Use of quotation marks to delimit string

Now we look at some of prevention technique that can used to avoid SQL Injections.

  • Validate your inputs

    Validating user input is not a direct solution to SQL Injection, but it helps us avoid malicious user data being interpreted by the database.
    Let's take example URL like this.
    http://techblog.domains.lk/customer_details.php?id=4

    A simple way to fix the vulnerability in the above URL would be to check whether the ID parameter is what is actually expected from it. That means positive integer.
    <?php 
    if (is_numeric($_GET['id']) && abs($_GET['id']) == $_GET['id']){
         $sql =     "SELECT * FROM user WHERE id = ".$_GET['id'];
    } else{ 
        echo "Sorry, only positive integers allowed here!";
    }
    ?> 
    Then system will response only for positive integers. likewise you can use user validation technique based on your application or situation. 
 

  • Use prepared statements

     Another way you can protect your code against SQL injections is by using prepared statements. Prepared statements are pre-compiled SQL commands.They can be used with a specific database access library such as  PDO

    $sql "SELECT * FROM users WHERE email = '$email' AND status='$status'";

    lets take above example. it is a sql query without PDO. we can use PDO -a Database Access Abstraction Layer to modify above  query  to prevent from SQL injections.

    $stmt $pdo->prepare('SELECT * FROM users WHERE email = ? AND status=?');
    $stmt->execute([$email$status]);
    $user $stmt->fetch();
    // or
    $stmt $pdo->prepare('SELECT * FROM users WHERE email = :email AND status=:status');
    $stmt->execute(['email' => $email'status' => $status]);
    $user $stmt->fetch();

     

    Tips For Avoiding PHP SQL Injection Vulnerabilities

    Prevention is better than cure. You must take the following precautions as these are the best ways to prevent SQL injection in php:

    • To avoid SQL injections, user input should be validate for a definite set of rules for syntax, type, and length.
    • While granting rights to the database for particular users, try to provide only the minimum required rights, in order to avoid any future attacks to sensitive data.
    • If a user is given rights for a specific application, make sure that he does not access the application unnecessarily.
    • Removing unused stored procedures may also help in the prevention of SQL injects.
    • Be careful when using stored procedures as they are easily exploited.
 
REFERENCES:
[1] https://www.cloudways.com/blog/prevent-php-sql-injection/
[2] https://www.php.net/manual/en/book.pdo.php

0 Comments