The intention of MySQL injection is to take over the website database and steal information. Common open source databases, such as MySQL, have been used by many website developers to store important information such as passwords, personal information, and administrative information.
MySQL is popular because it is used with the most popular server-side scripting language, PHP. Moreover, PHP is the main language of the Linux-Apache server that dominates the Internet. Therefore, this means that hackers can easily exploit PHP just like Windows spyware.
Hackers enter large amounts of malicious code into an unsecured web form (via drop-down menus, search boxes, contact forms, query forms and checkboxes).
The malicious code will be sent to the MySQL database and then "injected". To view this process, first consider the following basic MySQL SELECT query statement:
SELECT * FROM xmen WHERE username = 'wolverine'
This query will ask the database with the "xmen" table to return a certain piece of data with the username "wolverine" in MySQL. .
In the web form, the user will enter wolverine, and this data will be passed to the MySQL query.
If the input is invalid, there are other ways for hackers to take control of the database, such as setting the username:
' OR ''=''
You might think it's safe to use normal PHP and MySQL syntax to perform the input, because every time someone enters malicious code, they will You'll get an "invalid query" message, but that's not the case. Hackers are smart, and any security hole is not easy to correct because it involves database cleanup and resetting administrative privileges.
Two common misunderstandings about MySQL injection attacks are as follows:
1. Network administrators believe that malicious injections can be cleaned up with anti-virus software or anti-spyware software. The fact is that this type of infection exploits weaknesses in the MySQL database. It cannot simply be removed by any anti-spyware or antivirus program.
2. MySQL injection occurs due to copying an infected file from another server or external source. This is not the case. This type of infection occurs when someone enters malicious code into an unprotected form on a website and then accesses the database. MySQL injection can be cleaned up by removing the malicious script, rather than using an antivirus program.
The user input validation process
backs up a clean database and places it off the server. Export a set of MySQL tables and save them on the desktop.
Then go to the server and turn off the form input temporarily first. This means that the form cannot process the data and the website is shut down.
Then start the cleanup process. First, on your server, clean up any remaining messy MySQL injections. Change all database, FTP and website passwords.
In the worst case scenario, if you are late cleaning up, you can double check for hidden programs running on your server. These hidden programs are Trojans installed by hackers. Remove it completely and change all FTP permissions. Scan the server for all Trojans and malware.
When you modify the PHP script program, the form data will be processed. A good way to prevent MySQL injection is to not even trust user data. User input validation is very important to prevent MySQL injection.
To design a filter to filter out user input, here are a few tips:
1. The input to the form is numbers. You can verify that it is a number by testing that it is equal to or greater than 0.001 (assuming you don't accept a zero).
2. If it is an email address. Verify whether it consists of allowed character combinations, such as "@", AZ, az or some numbers.
3. If it is a person’s name or user name. It can be verified by whether it contains any illegal characters, such as and and *, which are malicious characters that can be used for SQL injection.
Validating Numeric Input
The following script verifies that a valid number from 0.001 to infinity is entered. It is worth mentioning that in a PHP program, you can even allow the use of numbers within a certain range. Use this validation script to ensure that only a number is entered into the form.
Suppose you have three numerical variables in your program; you need to validate them, let's name them num1, num2 and num3:
//Validate numerical input
if($_POST['num1'] >= 0.001 && $_POST['num2'] >= 0.001 && $_POST['num3'] >= 0.001){
}else{
}
?>
And the condition can be extended to accommodate more than three numbers. So if you have 10, you will only need to expand the AND statement.
This can be used to validate a form that only accepts numbers, such as contract quantities, license numbers, phone numbers, etc.
Validate text and email address inputs
The following can be used to validate form inputs such as usernames, first names, and email addresses:
//Validate text input
if (! preg_match('/^[-az.-@,'s]*$/i',$_POST['name'])){
}
elseif ($empty==0){
}else{
}
?>
One advantage of this validation script is that it does not accept blank input. Some malicious users also manipulate databases through blank inputs. Using the script above, only validate one literal variable, "$name". This means that if you have three text variables, you can set up a validation script for each variable to ensure that each variable passes the review before entering the database.