If you are using MySQL database for example for the member login, then most likely your website accessible by anyone not entitled to use a hack technique known as MySQL Injection. PHP provides a function of interest to overcome them. Let's see ...
Before Our learn to use the PHP function, it helps me try to tell a little about MySQL Injection first.
Basically, the MySQL Injection is a way to manipulate the query that Our send to Our MySQL database table so that queries that Our send another interpreted by the PHP script and Our MySQL database .
This manipulation can be done to simply log illegally, or even worse could be used to delete the contents of the table that Our have. The danger is not it? Put simply, how can I describe this.
For example, you have a simple query the user login form using PHP with code like this:
Before Our learn to use the PHP function, it helps me try to tell a little about MySQL Injection first.
Basically, the MySQL Injection is a way to manipulate the query that Our send to Our MySQL database table so that queries that Our send another interpreted by the PHP script and Our MySQL database .
This manipulation can be done to simply log illegally, or even worse could be used to delete the contents of the table that Our have. The danger is not it? Put simply, how can I describe this.
For example, you have a simple query the user login form using PHP with code like this:
$ name = "bambang";
$ query = "SELECT * FROM customers WHERE user = '$ name'";
echo "Normal:". $ query. "
";
/ / user input using a MySQL Injection
$ name_manipulation = "'OR 1'";
$ query = "SELECT * FROM customers WHERE user = '$ name'";
echo "Normal:". $ query. "
";
/ / user input using a MySQL Injection
$ name_manipulation = "'OR 1'";
/ / Query for comparison
$ query_manipulation = "SELECT * FROM customers WHERE user = '$ name_manipulation'";
/ / display query by injection
echo "Injection:". $ query_manipulation;
echo "Injection:". $ query_manipulation;
Display the results of execution is like this:
Normal: SELECT * FROM customers WHERE user = 'bambang'
Injection: SELECT * FROM customers WHERE user =''OR 1''
Display normal first query, the database will select customers who called bambang.
However, MySQL Injection has made a query, we do different things. Only by adding the single quotes, the query string pemanipulasi had ended with success so that we become like this:
Normal: SELECT * FROM customers WHERE user = 'bambang'
Injection: SELECT * FROM customers WHERE user =''OR 1''
Display normal first query, the database will select customers who called bambang.
However, MySQL Injection has made a query, we do different things. Only by adding the single quotes, the query string pemanipulasi had ended with success so that we become like this:
$ user =''
and then add OR 1 in the WHERE statement we are making it means to be ALWAYS RIGHT. Note the end result we after in inject query:
$ user =''OR 1
ALWAYS RIGHT!
If the Our PHP script previously only allow existing customers in the MySQL tables are entered (in this case named bambang), then with this trick, we do not need the customer name to get into the login user. Because with clause OR 1, the query results we are always right.
and then add OR 1 in the WHERE statement we are making it means to be ALWAYS RIGHT. Note the end result we after in inject query:
$ user =''OR 1
ALWAYS RIGHT!
If the Our PHP script previously only allow existing customers in the MySQL tables are entered (in this case named bambang), then with this trick, we do not need the customer name to get into the login user. Because with clause OR 1, the query results we are always right.
0 comments on How To Handle MySQL Injection in PHP :
Post a Comment and Don't Spam!
Dont Spam please