Work with data
Today, the Internet is gaining more and more popularity, and the word “site” has firmly entered our vocabulary.
The last time, two more have constantly gone for a pen with this word – this is “development” and “promotion”. And this is not surprising, because under the pressure of an incredible number of different offers in the provision of services for the development and promotion of sites in the brain of an ordinary user, these two concepts were rooted as the only ones worthy of attention when launching an Internet project.
But there is one more word without which neither creation, nor advancement, nothing will make sense at all if you are creating a serious project. Moreover, if you neglect this word, your deeds may turn out to be much worse than it was before.
This is about security, and not about the physical security of the computer on which your site is stored, which, of course, should also be taken care of, but about security on the Internet.
It is difficult to overestimate the importance of security issues for your site if important information is stored in its database. For example, it is difficult to imagine that the head of the IT department in any large bank, the database of which stores the numbers of his customers’ credit cards and other important information, will be able to sleep peacefully at night if he is informed the day before that the bank’s website who is responsible, is not properly protected and can be cracked within an hour by a little clever cracker.
But often this is exactly the case! Moreover, even the site code protected by special functions, the database limited by permissions to access information, and the employee responsible for the security of your data with a high salary will not always be able to guarantee you one hundred percent protection. That is why, so that later it would not be excruciatingly painful, it is necessary to carefully organize the data protection system.
In this article, I will cover the topic of protection against perhaps the most common method of hacking a site – SQL injection. To begin with, we will determine that all, without exception, modern, voluminous, complex sites are built on the basis of a database.
Work with data stored in the database of your site is carried out through the structural query language SQL. SQL injection is the technique of introducing certain code into the original SQL query that does not violate the structure of the query itself, in order to gain access to the data contained in the database.
The possibility of introducing SQL injection arises due to insufficient verification of the values received from the user. Deploying an SQL injection, depending on the type of DBMS used and the implementation conditions, can enable an attacker to execute an arbitrary query to the database – for example, read the contents of any tables, delete, modify or add data, get the ability to read and / or write local files and execution of arbitrary commands on the attacked server.
Most SQL injections are used in input forms, such as user registration, subscription, ordering goods, etc. But do not be mistaken about the fact that we are talking only about visible input forms. Very often, a website URL is used to infiltrate SQL injection code. Thus, if your site is not protected from penetration in any way, an attacker can easily pick up the keys to your database and get any information that is stored in it.
So, we will go directly to the methods of protecting your site from SQL injection:
1. Do not trust the data that the user enters into the form on your site. All these data must be checked for the presence of malicious code in them. To do this, firstly, it is worth limiting the length of the fields where possible. For example, for the string “Name” 10 characters are enough.
Use special functions to process all data received from the user. When using PHP, the functions mysql_real_escape_string () are suitable here (it escapes forbidden characters like ‘,” with slashes), Htmlspecialchars () (converts forbidden html descriptors). Here you can also check the type of input values, for example, using intval () for numerical values.
2. Restrict users access rights to the database. The less rights a user has, the less harm there will be if SQL injection is implemented.
3. The principle of SQL injection implementation is that the cracker guesses the structure of your database queries, selects the possible names of tables and columns of this database and extracts data based on the information received. So, for example, trying to access the password table of your database, it will pick up names like pass, password, users, etc. Therefore, it is unlikely that he will be able to extract information from this table if you call it “aslfjsaf”. However, this method is too radical, since it will make it difficult for you personally to work with the database – because of the uninformativeness of the names.