HTML and CSS Reference
In-Depth Information
Escape User Input
Escape all user-supplied data.
$query = "SELECT price FROM products WHERE sku='"
. $GET_['sku'] . "';";
$escaped_sku = mysql_real_escape_string($GET_['sku']);
$query = "SELECT price FROM products WHERE sku='"
. $escaped_sku] . "';";
Motivation
SQL injection is the single most common source of security breaches on the Web today. It's probably easier to
find a database-backed site with a SQL injection vulnerability than a site without one. SQL injection has led to
theft of confidential customer data, web-site defacement, credit card fraud, privacy breaches, denial of service,
spam, phishing, virus propagation, and almost every other computer-assisted crime you can imagine.
Potential Trade-offs
None.
Mechanics
Never treat user-supplied data as code, be it SQL, JavaScript, XSLT, or anything else. Only treat it as data. In
particular, do not build executable statements by simple string concatenation of user-supplied values with code.
This is begging for trouble.
To demonstrate the problem, consider a simple search form such as this one:
<form name="search" action="/search.php" method="get">
<input size="12" name="terms">
<input type="submit":" value="Search"/>
</form>
It looks innocuous enough, but it can easily hide some serious security holes. For example, suppose it's handled
by a very basic PHP script such as this one:
$keywords = $_GET['terms'];
$query = "SELECT url, title FROM pages WHERE content LIKE '%"
. $keywords . "%';";
$result = mysql_query($query);
You may very well have given hackers the ability to delete every row in your database. For example, imagine
they search for this:
Search WWH ::
Custom Search