Of course no one likes to have their website hacked and defaced. It is why your main priority as a PHP developer or a webmaster should be security. You should double check and making sure you are validating user inputs especially if PHP variables are used in the MySQL queries.
MySQL injection results in a PHP variable (which is usually a query string variable in the URL used in GET request) being manipulated by an outside source (hacker) to make malicious queries to the MySQL database beyond its original purpose. For example, one of the popular objectives in MySQL injection is getting the admin username and password for the website which is stored in the MySQL database. Then once the hacker knows the username and password, they can use this to login to their CMS or admin panel.
However supposing you are now operating a normal website; chances are if you are not a PHP developer; you are not technical enough to know about these things as well as provide a detailed solution.
Again, a problem well defined is a problem half-solved. You should take the bold steps in determining if your website is vulnerable to MySQL injection attacks.
The following steps are effective ways to determine if your website is vulnerable to MySQL injection:
Step1.) Are you using dynamic URLs? If you have an URL like http://www.example.com/member.php?id=3, a hacker can manipulate the value of the query string variable. In that example, the query string variable is “id” and the value of the query string id is 3.
Of course, the first step the hacker will look into your website is to look for query string variables in the URL such as the example above. This does not apply only to the homepage or the front page URL but to all URLs in your website. If you have a dynamic website that is using a query string “?” in the URL, then proceed to the next step.
Step2.)Add a single quote (‘)at the end of the query string value shown in the browser address bar, ;then press enter. For example, if your URL is:
http://www.example.com/member.php?id=3
Adding a single quote to the value of the query string (which is 3) will look like:
http://www.example.com/member.php?id=3′
If you press enter, take note of the results shown in the browser very carefully.
Step3.) Now if there is an MySQL related error; then YOUR WEBSITE IS VULNERABLE TO MYSQL INJECTION.
For example, lets have a real example of a dynamic URL (DISCLAIMER: This is for educational purposes only, use this information at your own discretion):
http://www.turkishculturalfoundation.org/pages.php?ID=31
This is what the URL will look like in the browser address bar after adding a single quote at the value of the query string variable (which is 31):
Take note closely of the single quote added to the end of 31 (which is the value of the query string variable ID).
Now if you press enter, a website is vulnerable to MySQL injection if MySQL related error occurs such as this one:
How to prevent MySQL injection:
First step: All PHP variables used to query MySQL database should be sanitized with mysql_real_escape_string function. Example:
$invoicenumber = mysql_real_escape_string($invoicenumber);
$result1 = mysql_query("SELECT `DownloadStatus` FROM `customerrecords` WHERE `InvoiceNumber`='$invoicenumber'")
In the above example $invoicenumber is the PHP variable used in the MySQL select statement. It needs to be sanitized with mysql_real_escape_string function.
Second step: Do not show MySQL related errors in your website.
Third step: In accordance with the 1st and 2nd step, user input validation of web form inputs, query string URL, etc as long as it is publicly accessble is a MUST.
Very useful, we recently had our website PrecioLandia attacked by SQL Injection, and this article was very handy to detect the flaw. Thanks.
Hi PrecioLandia,
How that’s great! I never thought someone would check this post as seriously as using it correct a website problem. I am glad I am beginning to believe that this PHP developer website is REALLY helpful and useful.I will look forward of adding more content to this website and improving user experience. Thanks!
Cheers,
Codex
Thank you so very much for this valuable information. As soon as I read this excellent article, I sanitized with mysql_real_escape string function all of the vulnerable php variables. The test for vulnerability to sql injection is absolutely great. I never learned these things in during my web development studies in college! I’ll definitely be revisiting this site. Please continue to publish content as valuable as this was. Again, many thanks!
I am glad you learn something very important in this post. MySQL injection continues to be one of the most common vulnerability of dynamic websites that uses MySQL as the database. Protecting your site against this ensures that you are keeping hackers at bay.
very very nice info…
thanks.