Download presentation
Presentation is loading. Please wait.
Published byBarnaby Bond Modified over 9 years ago
1
Preventing MySQL Injection Sonja Parson COSC 5010 Security Presentation April 26, 2005
2
Introduction Used PHP, MySQL, and HTML for this project Can access from the web Username and Password needed to be secure Wanted to protect against SQL injection attacks
3
MySQL Query Problems Regular Expression Matching Period(.) Match any character (including carriage return and newline) [:alnum:] Match any alphanumeric characters Single Quote (‘) Ends a query Now, you can type your own query into the field
4
Simple Solutions Make sure that you limit the length of a parameter Helps prevent someone from sending a query to the database through the username or password fields Use secure passwords
5
A Few Functions (PHP) Mysql_escape_string() Mysql_real_escape_string() Crypt()
6
Mysql_escape_string() Escapes a string for use in a mysql query Does not escape % and _ Does not respect the current charset setting Example: <?php $item = “Sonja’s Laptop”; $escaped_item = mysql_escape_string($item); Printf(“%s\n”, $escaped_item); ?> Would return: Sonja\’s Laptop
7
Mysql_real_escape_string() Identical to mysql_escape_string(), but is connection oriented. Takes into account the current charset of the database connection Mysql_escape_string($unescaped_st ring, $link_to_database);
8
Crypt() Crypt() is a one-way string encryption (hashing). Uses standard DES-based encryption scheme Uses the string and a salt to encrypt the string If the salt is not provided, one is randomly generated by PHP each time the function is called.
9
Conclusion By using the aforementioned functions, you can secure your database from unwanted attacks (assuming you wrote good enough code) Websites are easy to hack when you have the source code Website is secure from SQL injection attacks SQL injection attacks are easy to do, but can also be easily guarded against
10
References PHP, MySQL functions http://pt.php.net/manual/en/ref.m ysql.php http://pt.php.net/manual/en/ref.m ysql.php MySQL Reference Manual: MySQL Regular Expressions http://dev.mysql.com/doc/mysql/e n/regexp.html http://dev.mysql.com/doc/mysql/e n/regexp.html
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.