Defending against SQL Injection Attack in PHP any version

Internet Security is a very sensitive issue and many websites have vulnerabilities which are easily exploitable. One such vulnerability is SQL Injection, in which the attacker can literally execute any kind of query in your database, even gain administrator privileges and if things are even worse, then he may also gain access to your system and execute any command. No wonder how dangerous this vulnerability is, but it has a very easy fix. I’d like to introduce you with a small function escape(), I’ve written for sanitizing data while querying the database, which will disable SQL Injection attacks in PHP, irrespective of the PHP version you use.

function escape($input)
{
if (!get_magic_quotes_gpc()) {
$input = addslashes($input);
}
return $input;

}

By default the Magic GPC Quotes feature of PHP is turned ON. So it will automatically sanitize any data it receives from $_GET and $_POST by placing slashes before any ‘, ” or \ characters. However, as of PHP 5.0+, this feature is deprecated and hence relying on it is highly discouraged. Instead, use the addslashes() function which does the same thing. So the function I wrote will basically identify whether the Magic GPC feature is turned ON, if it is, then it will simply return the query as it is, else it will call the addslashes() method on the query. So simple !
However, there’s a more “secure” version of it. But this one is not suitable for large-scale systems as it requires an extra-connection to the MySQL server.

function escape($input)
{
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
return mysql_real_escape_string($input);

}

You can use the above function as follows :

Find out all the form variables that you receive in your PHP code i.e. all the occurrences of $_GET and $_POST and whenever you use then, use

escape($_POST[‘var’])

instead of just $_POST[‘var’]. Similary for $_GET variables also.

For example, suppose you have stored the mysql query like :

$username=$_GET[‘username’];
$password=$_POST[‘password’];
$query=”SELECT * FROM `users` WHERE `username`=’$username’ AND `password`=’$password'”;

To secure the above code, use this code instead :

$username=escape($_GET[‘username’]);
$password=escape($_POST[‘password’]);
$query=”SELECT * FROM `users` WHERE `username`=’$username’ AND `password`=’$password'”;

or, by writing it in a single line only :

$query=”SELECT * FROM `users` WHERE `username`='”.escape($username).”‘ AND `password`='”.escape($password).”‘”;

This simple thing will completely disable any kind of SQL Injection attacks in your website or web-application, irrespective of the PHP version you use. However, beware of other attacks ! 🙂

Agate CMS

Agate CMS is my Free and Open Source Software which I have hosted up on sourceforge.net. Its a Content Management System, which means it lets you create your fully functional website in just a few clicks ! All you need to do is work out a template for your website and all the coding part, including user-registration/login, user-management, website content, forms, etc will be taken care by the CMS.

First, I want to tell you a little about why I started this project. I actually never thought of coding a CMS of my own from scratch. What I actually wanted to do is to change the core-architecture of the Pragyan CMS v2, which is developed by the members of the “Delta Force” (the Central Webteam of NIT Trichy), of which I’m a part of. Pragyan CMS has been contributed to by dozens of students from my college and so when I started going through that huge number of PHP files each having some 4 to 5 hundred lines of codes, I didnt felt like actually trying to understand those thousands of lines of codes which were written by a dozen webteam members, the result of which is a code with no fixed convention for “pretty printing”, with many bugs&unnecessary codes, and absence of any single person who knows every single line of the CMS. This is what I call a “loose” software, and it needs to be filled up with lots of patches to remove all the bugs. This is what which encouraged me to write a CMS myself, with strict organization of files and structured code. This took some time but it wasn’t that hard.Finally, when I was halfway through I started implementing new ideas for the core architecture which were very different than what was there in Pragyan CMS. Till that point, Agate CMS was very similar to Pragyan CMS, but after that point, its my own ideas which I implemented which I thought were better than Pragyan’s. Finally I ended up writing a working CMS with an entirely different architecture and new features. I won’t go to the technical details now.

Continue reading →