question:What is Sql Injection !?
answer:A SQL injection attack attempts to compromise your database by creating SQL commands that are executed instead of, or in addition to, the commands that you have built into your application.
What Can Be Done to Prevent an SQL Injection !!
- Don’t use dynamic database queries.
- Don’t accept user input in queries.
Before we get into the coding part of the advice how to prevent an SQL injection, we need to start with the fundamental issues. SQL injections might be a frequent programming error but they aren’t the only way for a hacker to break into. If your underlying software – i.e. the database and the operating system have vulnerabilities, then your efforts to secure your code become obsolete. This is why you should always patch your system, especially your SQL server.
2. Limit the use of dynamic queries
As I already mentioned, dynamic queries are the door to SQL injections. Of course, it might not be realistic to expect that all dynamic queries can be trashed right away but some of the ways out are stored procedures, parameterized queries, and above all – prepared statements. The exact approaches vary from one programming language to the other but basically any programming language offers good substitutes of dynamic queries.
For instance, the PreparedStatement() with bind variables in Java, or the SqlCommand() and OleDbCommand() with bind variables in PHP, or strongly typed parameterized queries with bindParam() in PHP are all possibilities to explore.
3. Escape user input
The second biggest evil for SQL injections is user input. While you can’t always avoid user input completely, the next best thing is to escape it. Escaping user input doesn’t do as good job as limiting dynamic queries but still it can stop many SQL injection attacks. For instance, if you are using PHP, for GET and POST, use htmlspecialchars() to escape XSS characters and addslashes(), in case you using database. Alternatively, you can escape user input from inside your database but since the exact code varies from one database to the next, you should check with the docs of your database for the exact syntax to use.
4. Store database credentials in a separate file
In order to minimize the damage in case of an SQL injection attack, always store database credentials in a separate file. This way even if a hacker manages to break in, he or she won’t benefit much.
5. Use the principle of least privilege
The principle of least privilege is a security cornerstone and it applies to SQL injections as well. For instance, when you grant a user access only to the tables he or she needs rather to the whole database; this drastically reduces the damage potential.
6. Turn magic quotes off
Turning the magic_quotes_gpc variable off can also stop some SQL injection attacks. Unfortunately, this isn’t always a reliable measure because sometimes magic quotes might be off and you are unaware of this but still it is better than nothing. In any case, you need to have code to substitute quotes with slashes. Here is the simplest way to do it:
if (!get_magic_quotes_gpc()) {
$username = /*-!@#$%^&*=+($username);
$password = /*-!@#$%^&*=+($password);
}
7. Disable shells
Many databases offer shell access which essentially is what an attacker needs. This is why you need to close this door. Consult your DB’s documentation about how to disable shell access for your particular database.
8. Disable any other DB functionality you don’t need
In addition to the shells there are many other functions in a database you don’t need. While not all of them are a security risk, the general rule here is that less is more. Just remove or at least disable any functionality you can do without.
9. Test your code
Finally, the last step to ensure your code is SQL injections-proofed is to test it.
if you are good with hacking if you cant test it just quit
oh just to mention im who typed this tutorial so i dont need new noob come and say copy&past please
best regards
Mats0o0o0~aka~Volcan