This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Backend Security Project PHP Security Programming"
(→Tools) |
(→Description) |
||
| Line 2: | Line 2: | ||
= Description = | = Description = | ||
| + | |||
| + | == PHP preventing SQL Injection == | ||
= Examples = | = Examples = | ||
Revision as of 21:11, 28 May 2008
Overview
Description
PHP preventing SQL Injection
Examples
To better understand how to secure code a PHP application some examples of vulnerable code is provided in this paragraph.
Login Form
On this example we're going to see a tipical Login Form. On our example WEB SITE user need to supply a username/password pair in order to be authenticated.
Here follows the authentcation form:
Such a login page well call login.php with supplied user credentials.
<?php
include('./db.inc');
function sAuthenticateUser($username, $password){
$authenticatedUserName="";
if ($link = iMysqlConnect()) {
$query = "SELECT username FROM users";
$query .= " WHERE username = '".$username."'";
$query .= " AND password = md5('".$password."')";
$result = mysql_query($query);
if ($result) {
if ($row = mysql_fetch_row($result)) {
$authenticatedUserName = $row[0];
}
}
}
return $authenticatedUserName;
}
if ($sUserName = sAuthenticateUser($_POST["username"],
$_POST["password"])) {
echo "Wellcome ".$sUserName;
} else {
die('Unauthorized Access');
}
?>
db.inc:
<?php
define('DB_HOST', "localhost");
define('DB_USERNAME', "user");
define('DB_PASSWORD', "password");
define('DB_DATABASE', "owasp");
function iMysqlConnect(){
$link = mysql_connect(DB_HOST,
DB_USERNAME,
DB_PASSWORD);
if ($link && mysql_select_db(DB_DATABASE))
return $link;
return FALSE;
}
?>
Online Catalog
Let take another example: an Online Book Store:
catalog.php:
function aGetBookEntry($id) {
$aBookEntry = NULL;
$link = iMysqlConnect();
$query = "SELECT * FROM books WHERE id = $id";
$result = mysql_query($query);
if ($result) {
if ($row = mysql_fetch_array($result)) {
$aBookEntry = $row;
}
}
return $aBookEntry;
}
$id = $_GET['id'];
$aBookEntry = aGetBookEntry($id);
showBook($aBookEntry);
Basicaly it retrieves id parameter on GET query string and perform the following SQL query:
- SELECT * FROM book WHERE id = $_GET['id']
As in Login Form no input validation is performed and SQL Query can be manipulated to returns arbitrary data and DBMS stored relations/records/functions as well.
