OWASP Backend Security Project PHP Preventing SQL Injection

= Examples = To better understand how to secure code a PHP application some examples of vulnerable code is provided in this paragraph.

Login Form
On this example we're going to see a tipical Login Form. On our example WEB SITE user need to supply a username/password pair in order to be authenticated. Here follows the authentcation form:



Such a login page well call login.php with supplied user credentials.

<?php include('./db.inc');

function sAuthenticateUser($username, $password){ $authenticatedUserName=""; if ($link = iMysqlConnect) {

$query = "SELECT username FROM users"; $query .=               " WHERE username = '".$username."'"; $query .=               " AND   password = md5('".$password."')"; $result = mysql_query($query);

if ($result) { if ($row = mysql_fetch_row($result)) { $authenticatedUserName = $row[0]; }   }  }

return $authenticatedUserName;

}

if ($sUserName = sAuthenticateUser($_POST["username"], $_POST["password"])) { echo "Wellcome ".$sUserName; } else { die('Unauthorized Access'); }

?>

db.inc:



Online Catalog
Let take another example: an Online Book Store:



catalog.php:

function aGetBookEntry($id) { $aBookEntry = NULL; $link = iMysqlConnect;

$query = "SELECT * FROM books WHERE id = $id"; $result = mysql_query($query);

if ($result) { if ($row = mysql_fetch_array($result)) { $aBookEntry = $row; } }

return $aBookEntry;

}

$id = $_GET['id']; $aBookEntry = aGetBookEntry($id);

showBook($aBookEntry);

Basicaly it retrieves id parameter on GET query string and perform the following SQL query:
 * SELECT * FROM book WHERE id = $_GET['id']

As in Login Form no input validation is performed and SQL Query can be manipulated to returns arbitrary data and DBMS stored relations/records/functions as well.

= Application Security strategies =

Security in Depth
= Examples Revisited =

Online Catalog
= Defeating Automated Tools =

= References =

= Tools =