Tips for the PHP developer to prevent from SQL injection

                 As we seen in our previous topic that some of the way to prevent from the SQL injection.
If you have not  read yet then must read that first.... click here 

   Today, I am going to share some tips for PHP developer that how to make secure their site from the SQL injection. There are number of things are their to do, from that one of the things are as below:


Let, see the First one

Suppose, As below is your code:

<?php
 $result = mySql_query('select Text from pages where id=' . $_GET['id']);
echo($result);
?>



As shown in the above code it says that you are selecting the page content which is "Text"  from "pages" in the SQL database, and you are sorting out the right page content with $_GET[''id] and $_GET['id'] is the thing in url...

for e.g. :                http://www.example.com/index.php?id=123

As this code is easily injected by the some one, but if you can do this ...

<?php
$result = mySql_query('select Text from pages where id=' . mySql_real_escape_String($_GET['id']));
echo($result);
?>

Then you are 100 % secure.............. If  you like this post then please share this with your friends &  make aware them too from the SQL injection.

Ways to prevent your webserver from SQL Injection

                            As we all know that today SQL Injection is the easiest way to hack someone's website or any companies website. Today mostly all hackers and script kiddles are using this ....
                            So today, I am going to  share some ways to prevent SQL injection on your own or may be on your company's website.

(1) Use the email-id instead of the user id always

                          This is the one of the best way to prevent the SQL injection, to prevent it you have to use an Email Id ,so what is happening that here the code written will validate in such a way that it will not accept anything else instead of the Email address ,so here the SQL injection string is not acceptable, so the SQL injection is prevented this way.

(2) Never use default admin login page.

                        Another way to protect your website from SQL injection is that never use the default admin login page means as you use your default login page as  "AdminLogin" according to you. But try to have other than this such as "SuperLogin.asp" or "GentalLogin.asp" mean something different which can not be found easily  on the search engine hacks (i.e Google,Yahoo,Bing,etc). So when any hacker try to search for your AdminLogin page he/she , he will try in search "AdminLogin.asp"  or "Admin|Login.asp" some thing like this but he can't get the result and will be frustrated and hence your site will be prevented.

(3)  Make your Admin page became hidden from the others.

                      As we all know that nothing is secure in this universe, only just one opportunity is required. So as SQL injection is only possible through your Admin login panel or sometimes with url. So never show or link your "AdminLogin" page on your site and always make it hidden from  the other users.  If you are showing the "AdminLogin" page directly on your site than you are giving an opportunity to the hackers to hack your site.

(4)  Social Engineering.

                     Never show your website vulnerabilities to anyone or never discuss to any single person. With out asking or discussing Just try to get solution  by searching on Google. At last never show any type of warning messages on your login page such as "We are using transparent proxy don't try to hack otherwise an legal action would be taken."  


Friends I hope you like this Tips for preventing you website from SQL Injection. If you like this and it helpful  any how then share it with others too..... 


SQL METHOD ~ SQL MANIPULATION


                       As in the Earlier post I had discuss that it is  the most commonly described attacks for all types of databases (including SQL Server, MySQL, PostgreSQL, and Oracle).   Let see the SQL MANIPULATION method in some detail with basic......

Note : SQL statements are used in this chapter to demonstrate the  SQL injection method. In order to be programming language neutral, only the developer intended and attacker manipulated SQL statements are presented.  The portions in blue, italics is a sample of what input the programmer is expecting and what an attacker might actually enter into a string field of the application. 

                       The most common type of SQL Injection attack is SQL manipulation.  The attacker attempts to modify  the existing SQL statement by adding elements to the WHERE clause or extending the SQL statement  with set operators like UNION, INTERSECT, or MINUS.  There are other possible variations, but these are the most significant examples.

Example : 

                   The classic SQL manipulation is during the login authentication.  A simplistic web application may check user authentication by executing the following query and checking to see if any rows were
returned –

SELECT * FROM users
WHERE username = 'bob' and PASSWORD = 'mypassword'  

The attacker attempts to manipulate the SQL statement to execute as –

SELECT * FROM users
WHERE username = 'bob' and PASSWORD = 'mypassword' or 'a' = 'a'  

Based on operator precedence, the WHERE clause is true for every row and the attacker has gained
access to the application.

The set operator UNION is frequently used in SQL injection attacks.  The goal is to manipulate a SQL
statement into returning rows from another table.  A web form may execute the following query to
return a list of available products –

SELECT product_name FROM all_products
WHERE product_name like '%Chairs%'


The attacker attempts to manipulate the SQL statement to execute as –

SELECT product_name FROM all_products
WHERE product_name like '%Chairs' 
UNION 
SELECT username FROM dba_users 
WHERE username like '%'

The list returned to the web form will include all the selected products, but also all the database users.




Also See : What is SQL Injection ?
                 SQL Injection category.

SQL injection categories


SQL injection attacks are simple in nature – an attacker passes string input to an application in hopes manipulating the SQL statement to his or her advantage.  The complexity of the attack involves exploiting a SQL statement that may be unknown to the attacker.  Open-source applications and commercial applications delivered with source code are more vulnerable since an attacker can find potentially vulnerable statements prior to an attack.


CATEGORIES OF SQL INJECTION ATTACKS

There are four main categories of SQL Injection attacks against Oracle databases –

1.  SQL Manipulation
2.  Code Injection
3.  Function Call Injection
4.  Buffer Overflows

The first two categories, SQL manipulation and code injection, should be well known to the reader, as
these are the most commonly described attacks for all types of databases (including SQL Server,
MySQL, PostgreSQL, and Oracle).

SQL manipulation typically involves modifying the SQL statement through set operations (e.g.,
UNION) or altering the WHERE clause to return a different result.  Many documented SQL injection
attacks are of this type.  The most well known attack is to modify the WHERE clause of the user
authentication statement so the WHERE clause always results in TRUE.

Code injection is when an attacker inserts new SQL statements or database commands into the SQL
statement.  The classic code injection attack is to append a SQL Server EXECUTE command to the
vulnerable SQL statement.  Code injection only works when multiple SQL statements per database
request are supported.  SQL Server and PostgreSQL have this capability and it is sometimes possible
to inject multiple SQL statements with Oracle.  Oracle code injection vulnerabilities involve the
dynamic execution of SQL in PL/SQL.

The last two categories are more specific attacks against Oracle databases and are not well known or
documented.  In the vast majority of our application audits, we have found applications vulnerable to
these two types of attacks.

Function call injection is the insertion of Oracle database functions or custom functions into a
vulnerable SQL statement.  These function calls can be used to make operating system calls or
manipulate data in the database.

SQL injection of buffer overflows is a subset of function call injection.  In several commercial and
open-source databases, vulnerabilities exist in a few database functions that may result in a buffer
overflow.  Patches are available for most of these vulnerabilities, but many production databases
remain un-patched.

WHAT’S VULNERABLE

An application is vulnerable to SQL injection for only one reason – end user string input is not properly
validated and is passed to a dynamic SQL statement without any such validation.  The string input is
usually passed directly to the SQL statement.  However, the user input may be stored in the database
and later passed to a dynamic SQL statement, referred to as a second-order SQL injection.  Because
of the stateless nature of many web applications, it is common to write data to the database or store it
using some other means between web pages.  This indirect type of attack is much more complex and
often requires in-depth knowledge of the application.

WHAT’S NOT VULNERABLE

SQL Statements using bind variables are generally protected from SQL Injection as the Oracle
database will use the value of the bind variable exclusively and not interpret the contents of the
variable in any way.  PL/SQL and JDBC allow for bind variables.  Bind variables should be extensively
used for both security and performance reasons.  

Also see : What is SQL injection ?

What Is SQL Injection ?


                      Most of the students asks me about the SQL injection, So here today I shall share some information about the SQL injection...This concept is to wide, here I show you the overview only.

                      Most application developers underestimate the risk of SQL injections attacks against applications that use Oracle as the back-end database.  Our audits of custom web applications show many application developers do not fully understand the risk of SQL injection attacks and simple techniques used to prevent such attacks.
                      This Blog is intended for application developers, database administrators, and application auditors to highlight the risk of SQL injection attacks and demonstrate why web applications may be vulnerable.  It is not intended to be a tutorial on executing SQL attacks and does not provide instructions on
executing these attacks.

SQL INJECTION OVERVIEW 


                      SQL injection is a basic attack used either to gain unauthorized access to a database or to retrieve information directly from the database.  The basic principles underlying SQL injection are simple and
these types of attacks are easy to execute and master.
                      Any program or application may be vulnerable to SQL injection including stored procedures executed with a direct database connection, Oracle Forms applications, web applications, etc.  Numerous SQL injection vulnerabilities have been found in the standard Oracle Database packages such as
DBMS_DATAPUMP, DBMS_REGISTRY, and DBMS_METADATA (see Oracle Critical Patch Update January 2006).  Web applications are at highest risk to attack since often an attacker can exploit SQL injection vulnerabilities remotely without any database or application authentication.
                     Web applications using Oracle as a back-end database are more vulnerable to SQL injection attacks than most application developers think.  Our application audits have found many web applications
vulnerable to SQL injection even though well-established coding standards were in place during
development of many of these applications.  Function-based SQL injection attacks are of most
concern, since these attacks do not require knowledge of the application and can be easily automated.


                     Fortunately, SQL injection attacks are easy to defend against with simple coding practices.  However, every parameter passed to every dynamic SQL statement must be validated or bind variables must be used.

SQL INJECTION: ORACLE VERSUS OTHER DATABASES 


                    Oracle generally fares well against SQL injection attacks as there is no multiple SQL statement support (SQL Server and PostgreSQL), no EXECUTE statement (SQL Server), and no INTO OUTFILE function (MySQL) – all methods frequently used to exploit SQL injection vulnerabilities.  In addition, the use of bind variables in Oracle environments for performance reasons provides the most effective protection
against SQL injection attacks.
                    Oracle may have fewer attack vectors for SQL injection than other databases, however, Oracle-based applications without proper defenses against these types of attacks can still be vulnerable and can be easily exploited through SQL injection vulnerabilities.



How GPS Works



             For those who are unfamiliar with the term, GPS stands for "Global Positioning System", and is a way of locating a receiver in three dimensional space anywhere on the Earth, and even in orbit about it. 

            To understand exactly why it is so useful and important, we should first look at how GPS works. More importantly, looking at what technological achievements have driven the development of this fascinating positioning system. 


This depends on basically three things:


1) SIGNALS



                In order for GPS to work, a network of satellites was placed into orbit around planet Earth,each broadcasting a specific signal, much like a normal radio signal. This signal can be received by a low cost, low technology aerial, even though the signal is very weak.
               The signals that are broadcast by the satellites carry data that is passed from the aerial, decoded and used by the GPS software.The information is specific enough that the GPS software can identify the satellite, it’s location in space, and calculate the time that the signal took to travel from the satellite to the GPS receiver. Using different signals from different satellites, the GPS software is able to calculate the position of the receiver.
               If you can identify three places on your map, take a bearing to where they are, and draw three lines on the map, then you will find out where you are on the map. 
             The lines will intersect, and, depending on the accuracy of the bearings, the triangle that they form where they intersect will approximate your position, within a margin of error. 
             The result of the “trilateration” (the term used when distances are used instead of bearings) of  at least three satellites, assuming that the clocks are all synchronized enables the software to calculate, within a margin of error, where the device is located in terms of its latitude (East-West) and longitude (North-South) and distance from the centre of the Earth.

(2) TIME AND CORRECTION


             In a perfect world, the accuracy should be absolute, but there are many different factors which prevent this. Principally, it is impossible to ensure that the clocks are all Synchronized. 

            Since the satellites each contain atomic clocks which are extremely accurate, and certainly accurate with respect to each other, we can assume that most of the problem lies with the clock inside the GPS unit itself. 

            A fourth satellite to provide a cross check in the trilateration process. Since trilateration from three signals should pinpoint the location exactly, adding a fourth will move that location; that is, it will not intersect with the calculated location. This indicates to the GPS software that there is a discrepancy, and so it performs an additional 
calculation to find a value that it can use to adjust all the signals so that the four lines 
intersect. 
            Usually, this is as simple as subtracting a second (for example) from each of the calculated travel times of the signals. Thus, the GPS software can also update its own internal clock; and means that not only do we have an accurate positioning device, but also an atomic clock in the palm of our hands. 

(3) MAPPING

            Knowing where the device is in space is one thing, but it is fairly useless information
without something to compare it with. Thus, the mapping part of any GPS software is very important; it is how GPS works our possible routes, and allows the user to plan trips in advance. 
            In fact, it is often the mapping data which elevates the price of the GPS solution; it must be accurate and updated reasonably frequently. There are, however, several kinds of map, and each is intended for different users, with different needs. 
            Road users, for example, require that their mapping data contains accurate information about the road network in the region that they will be traveling in, but will not require detailed information about the lie of the land - they do not really worry about the height of hills and so forth. 
            Marine users need very specific information relating to the sea bed, navigable channels, and other pieces of maritime data that enables them to navigate safely. Of Course, the sea itself is reasonably featureless, but underneath quite some detail is needed to be sure that the boat will not become grounded. 
           Special kinds of marine GPS, known as fishfinders, also combine several functions in one to help fishermen. A fishfinder comprises GPS and also sonar, along with advanced tracking functions and storage for various kinds of fishing and maritime information. 





Know About GPS : GPS (Global positioning System)