At the moment, I’m looking to shore up the basic security of my server DB, including provisions to protect against the possibility of an SQL Injection attack.
Let’s say, for arguments’ sake, that I had some PHP code that looked like the following:
$query = "SELECT name FROM my_table WHERE id='" . $id . "'";
Normal usage of this – where, for example, an id value of 131 had been entered – would result in the following query:
SELECT name FROM my_table WHERE id='131';
If, however, I was a nefarious cunt, I might enter something like 131′ or ‘1=1, which would result in the following:
SELECT name FROM my_table WHERE id='131' or '1=1';
So some unwarranted SQL has actually been injected into the query, perhaps circumventing the purpose of the code. If this was, for example, a check to prove that a valid user exists (okay, the example SQL here is ridiculous and unfit for purpose, but anyway…), then this would provide the hacker with a result > 0 in all cases, and possibly grant access.
This is a highly simplified example of what can be a very complicated and costly attack, but it does highlight the basic premise of the method. Other possibilities are updating, inserting, deleting and worse.
I’ve been implementing various ways to combat SQL Injection on a basic level.