In a modern society full of brilliant programmers and fantastic resources for upcoming programmers one key issue I come across way too often is unsecured code that is wide open for a MySQL injection.
I was tasked today with updating a custom CMS/Ecommerce system as it was unable to save new products when an apostrophe was present in the title. Without thinking about it I was able to identify that it was clearly not escaping the apostrophe before saving, this is a major issue in web development and programmers need to be better educated around this topic and other security issues.
$user = $_POST['f_name']; $query = "SELECT * FROM users WHERE user_firstname = '$name'";
If a user was to pass the form element f_name with a value of Glenn this would return a valid record (as long as it existed!!!).
But if a user was to submit a value of ‘; DROP TABLE users the full query then becomes:
SELECT * FROM users WHERE user_firstname = ''; DROP TABLE users;
See how easy a form can become your worst nightmare? BUT have no fear! It is exceptionally easy in PHP to prevent this type of attack from occurring using one of the functions given to us!
$user = mysql_real_escape_string($_POST['f_name']); $query = "SELECT * FROM users WHERE user_firstname = '$name'";
By using the function mysql_real_escape_string you can completely avoid this type of attack as all apostrophes are preceded by a slash, so your full query WITH a MySQL injection would be:
SELECT * FROM users WHERE user_firstname = '\'; DROP TABLE users';
Thus completely rendering DROP TABLE users useless.