SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of variables embedded in SQL statements. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

SQL injection seems to be on the minds of all developers recently. Although very dangerous, this security risk is relatively easy to prevent. Some languages have built in protection against SQL injections by simply auto filtering. PHP has made an attempt at this with magic_quotes_gpc, but as we all know, ended up being a complete nuisance to developers and frankly just didn’t work. There are a few generic rules to remember. If you abide by these rules, you will be okay.

1. Never trust foreign data! – Don’t depend on the end user inputting valid data!
2. Filter all input – Use built in functions, as well as REGEX to validate input!
3. Forget about addslashes() !!! – If using GBK character set, addslashes() will change 0xbf27 to 0xbf5c27, which is a valid multi-byte character followed by a single quote. Keep in mind that GBK multi-byte characters aren’t enabled by default.

Want to try it out for yourself? Click here to try a sample SQL injection script. It will let you know if you’ve successfully injected or broke a query, or if you didn’t do anything.

Here is what the code would you are attempting to break looks like:

<?php
if(isset($_POST['username'])) {
$mysqli = new mysqli('host','user','pass','db');
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM admins WHERE username='$username' AND password='$password'";
if ($result = $mysqli->query($sql)) {
if ($result->num_rows > 0) {
$found = true;
} else {
$found = false;
}
if ($found) {
echo '
<div style="color: red">YOU BROKE MY SCRIPT!!!</div>
';
echo '<strong>'.highlight_string($sql,true).'</strong>';
} else {
echo '<strong>NOPE! Still not in!</strong>
';
echo highlight_string($sql,true);
}
} else {
echo '<strong>NOPE! Still not in, but you did break my query!</strong>
';
echo highlight_string($sql,true);
}
$mysqli->close();
}
?>

After looking at this script, there should be alarms going off in your head. Are you getting that hormone rush in your head? You know, the one that says, “Oh boy! I’m gonna break this code.”? Go ahead and play with the test script. If you need help, one answer is in the next paragraph.

How did you do? The easiest way to break that script, which was obviously not escaped, is this:
In the username box, type the following: ‘ OR 1=1#

After inputting this data, you will see that you successfully injected my login page. How does it work? The first step was to add a single quote, followed by an OR 1=1 condition, which always returns true, and a hash mark (#), which represents an SQL comment making the rest of the statement irrelevant. How can you stop this?

Simply using the built in MySQL or MySQLi functions mysql_escape_string() and mysqli_escape_string() or escape_string() in OOP will prevent those nasty injections from ruining your day, or job.

This short tutorial should help you understand the dangers of SQL injection, and just how easy it is to prevent it. SQL injection isn’t limited to login scripts and forms, there are many other ways to do it. Just remember those simple rules, and check back for more SQL injection tutorials in the near future!