What is SQL Injection?
SQL injection refers to the act of someone insert a MySQL statement/ MySQL Quries to be run on your system without your knowledge. Injection usually come to the picture when you ask a user for input a data via system, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database.
In fact, the only reason that many websites are “protected” is due to magic quotes, and given that this is due to be disabled in the forthcoming PHP6, then there’s going to be some major problems cropping up.
// user and password come from a simple Posted form
$username = $_POST[ 'username' ];
$password = $_POST[ 'password' ];
$query = "SELECT * FROM user_table WHERE username = '$username ' AND password = '$password' ";
$result = mysql_query( $query );
// check if mysql result not null
if ( mysql_num_rows( $result ) > 0 )
$data = mysql_fetch_assoc( $result );
echo 'Hello '.$user.'!';
echo 'Your phone number is '.$data[ 'phone' ].'';
echo 'Incorrect Username or Password! Please try again!';
This will works, BUT it’s about as safe as juggling with scalpels. If I enter “chans” as my username and “admin” as my password, then the MySQL query looks like below code :
SELECT * FROM user_table WHERE username = 'chans' AND password = 'admin'
and I get logged in very simply.
But the problem comes when I start entering other characters. Lets say user will enter password like this :
' or 1=1 ; --
The query that sent to MySQL will look like this:
SELECT * FROM user_table WHERE username = 'chans' AND password = '' or 1=1 ; -- '
However, the injection attack has actually made our query behave differently than we intended. By using a single quote (‘) they have ended the string part of our MySQL query
password = ' '
and then added on to our WHERE statement with an OR clause of 1 (always true).
username = ' ' OR 1 = 1
This OR clause of 1=1 will always be true and so every single entry in the “user_table” table would be selected by this statement!
Now Attempt to fix it ( The magic quotes ):
How to fix this? We need to be escape these quote characters ( both single and double quotes, as well as backslashes). This is done by putting a slash in front of them,
For Example : so s ‘ becomes s \’, and MySQL can work out that that quote mark is “protected” by the slash(\), and its a part of the value and ignore it. We need to use mysql_real_escape_string() function to prevent this serious problem with our applications,
$password = mysql_real_escape_string($_POST['password']);
so now value of password would be look like this ,
'\' or 1=1 ; --
So, user attempt to login becomes:
SELECT * FROM user_table WHERE username = 'chans' AND password = '\' or 1=1 ; -- ';
MySQL thinks my password is the string
' or 1=1 ;
and user won’t be able to login.
So where do we get these slashes? Since around PHP version 3.06, PHP tries to do this for you, with a setting called “magic_quotes” . What this does is to automatically add slashes to anything coming in via HTTP get or post requests and via cookies. You can also do this manually using the mysql_real_escape_string() function.
Happy Coding…. 🙂