f6f50117da925a7d02a99ecb53577aa9 - Wrapsacks

stizzahaddockΛογισμικό & κατασκευή λογ/κού

14 Δεκ 2013 (πριν από 4 χρόνια και 7 μήνες)

102 εμφανίσεις

SQL Injection

What is sql injection?

SQL injection refers to the act of someone inserting a MySQL statement to be run on your
database without your knowledge. Injection usually occurs when you ask a user for input, like
their name, and instead of a name t
hey give you a MySQL statement that you will unknowingly
run on your database.

sql injection example

Below is a sample string that has been gathered from a normal user and a bad user trying to
use SQL Injection. We asked the users for their login, which wi
ll be used to run a SELECT
statement to get their information.

MySQL & PHP Code:

$name = "timmy";

$query = "SELECT * FROM customers WHERE username = '$name'";

echo "Normal: " . $query . "<br />";

$name_bad = "' OR 1'"

$query_bad = "SELECT * FROM custo
mers WHERE username = '$name_bad'";

echo "Injection: " . $query_bad;


Normal: SELECT * FROM customers WHERE username = 'timmy'

Injection: SELECT * FROM customers WHERE username = '' OR 1''

The normal query is no problem, as our MySQL statement will

just select everything from
customers that has a username equal to


, the injection attack has actually made our query behave differently than we
intended. By using a single quote (') they have ended the string part of our MySQL query

e = ' '

and then added on to our WHERE statement with an OR clause of 1 (always true).

username = ' '

OR 1

This OR clause of 1 will always be


and so

every single entry

in the "customers" table
would be selected by this statement!

more serious sql inje
ction attacks

Although the above example displayed a situation where an attacker could possibly get
access to a lot of information they shouldn't have, the attacks can be a lot worse. For example an
attacker could empty out a table by executing a


MySQL & PHP Code:

$name_evil = "'; DELETE FROM customers WHERE 1 or username = '"

$query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";

echo "Injection: " . $query_evil;


SELECT * FROM customers WHERE username = ' '; D
ELETE FROM customers WHERE 1 or
username = ' '

If you were run this query, then the injected DELETE statement would completely empty your
"customers" table. Now that you know this is a problem, how can you prevent it?

injection prevention


Lucky for you, this problem has been known for a while and PHP has a specially
function to prevent these attacks. All you need to do is use the mouthful of a




does is take a s
tring that is going to be used in a MySQL
query and return the same string with all SQL Injection attempts safely escaped. Basically, it will
replace those troublesome quotes(') a user might enter with a MySQL
safe substitute, an
escaped quote

Lets try

out this function on our two previous injection attacks and see how it works.

MySQL & PHP Code:

$name_bad = "' OR 1'";

$name_bad = mysql_real_escape_string($name_bad);

$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";

echo "Escaped Bad

Injection: <br />" . $query_bad . "<br />";

$name_evil = "'; DELETE FROM customers WHERE 1 or username = '";

$name_evil = mysql_real_escape_string($name_evil);

$query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";

echo "Escaped Evil Inje
ction: <br />" . $query_evil;


Escaped Bad Injection:

SELECT * FROM customers WHERE username = '
' OR 1

Escaped Evil Injection:

SELECT * FROM customers WHERE username = '
'; DELETE FROM customers WHERE 1 or
username =

Web Services in PHP

Web services are application components

Web services communicate using open protocols

Web services are self
contained and self

Web services can be discovered using UDDI

Web services can be used by other applications

XML is the basis for Web ser

The basic Web services platform is XML + HTTP.

The HTTP protocol is the most used Internet protocol.

XML provides a language which can be used between different platforms and programming
languages and still express complex messages and functions.


services platform elements:

SOAP (Simple Object Access Protocol)

UDDI (Universal Description, Discovery and Integration)

WSDL (Web Services Description Language)


SOAP is a simple XML
based protocol to let applications exchange information over HTTP.

Or more simple: SOAP is a protocol for accessing a Web Service.

SOAP stands for Simple Object Access Protocol

SOAP is a communication protocol

SOAP is a format for sending messages

SOAP is designed to communicate via Internet

SOAP is platform independent

OAP is language independent

SOAP is based on XML

SOAP is simple and extensible

SOAP allows you to get around firewalls

SOAP is a W3C standard


WSDL is an XML
based language for describing Web services and how to access them.

WSDL stands for Web Service
s Description Language

WSDL is based on XML

WSDL is used to describe Web services

WSDL is also used to locate Web services

WSDL is a W3C standard


UDDI is a directory service where businesses can register and search for Web services.

UDDI stands for
Universal Description, Discovery and Integration

UDDI is a directory for storing information about web services

UDDI is a directory of web service interfaces described by WSDL

UDDI communicates via SOAP

UDDI is built into the Microsoft .NET platform

y management in PHP

Resource management is a crucial issue, especially in server software. One of the most valuable
resources is memory, and memory management should be handled with extreme care. Memory
management has been partially abstracted in Zend, and

you should stick to this abstraction for
obvious reasons: Due to the abstraction, Zend gets full control over all memory allocations. Zend
is able to determine whether a block is in use, automatically freeing unused blocks and blocks
with lost references,

and thus prevent memory leaks. The functions to be used are described in
the following table:




Serves as replacement for


Serves as replacement for


Serves as replacement for


Serves as replacement for
. Faster than

and binary
safe. This is
the recommended function to use if you know the string length prior to duplicating it.


Serves as replacement for


Serves as replac
ement for

, and

allocate internal memory;

frees these previously allocated blocks. Memory handled by the

functions is considered local
to the current process and is discarded a
s soon as the script executed by this process is