Yorkville High School Computer Science Department
Yorkville High School Computer Science Department on Facebook  Yorkville High School Computer Science Department Twitter Feed  Yorkville High School Computer Science Department on Instagram

Yorkville High School Computer Science

ASSIGNMENTS: Build a Computer - September 25, 2018 :: Network App - December 14, 2018

Computer Security :: Lessons :: SQL Injection

SQL Injection

Databases are the most common target of attacks on web applications. Various versions of SQL (Structured Query Language) are used on the web, but MySQL is one of the most popular. A SQL injection targets a SQL database by exploiting some of the language's peculiarities. Steve Friedl's Unix Wiz website provides a number of good examples of SQL injections. Read through some of his examples to get an idea of how SQL injections work. You can also check out the video below to see a live demo of SQL injection.

The reason SQL injection works is the SQL server doesn't care where the commands it receives came from. SQL simply runs the commands it is given with no question. Sanitizing the input sent to SQL queries can help, but it can be nearly impossible to determine all the possible malicious input that could sneak through your sanitation attempts. The most secure way to prevent SQL injection is by using parameterized queries.

Parameterized Queries

Paramaterized queries are queries that use placeholders for parameters. The values for the placeholders are supplied at execution. This has a dual effect of preventing SQL injection since the input from the user is not treated as part of the SQL query and increased efficiency since the query can be stored and reused with multiple inputs. The video below provides a succinct example of using prepared statements to generate parameterized queries using PHP and MySQL.

Encryption with PHP

PHP has a number of useful functions you can use to encrypt/decrypt data. The video below goes through a few. Please note that you should NOT use SHA1 anymore as it is not considered secure.

Yorkville High School Computer Science Department on Facebook Yorkville High School Computer Science Department Twitter Feed Yorkville High School Computer Science Department on Instagram