You are here: Home / Web Development / Web Application Development / Is your web application secure?

Is your web application secure?

October 27, 2009 by Leave a Comment

The Internet is growing rapidly, and developers all around the world are churning out new web applications at an amazing pace. While functionality and eye candy are often given top priority, security issues are often left on the back-burner.

SQL Injection

Probably the most well known web application vulnerability is SQL Injection. Put simply, when creating SQL it is not uncommon to build the query by inserting variables into a string. Because the value of these variables is essentially executed as code, doing so opens you up to a massive array of potential exploits.

For example; let’s say you have an SQL query to allow users to login:

SELECT * FROM user WHERE username = ‘$user’ and password = ‘$pass’

In this case, we are inserting the $user and $pass variables into the query verbatim. If an attacker wanted to gain authorised access to this site, they could enter malicious data into one of the fields on the login form.

For example, if an attacker entered the text /foo’ or true or ‘/ (Including the quotes) into the password field, the SQL statement would be generated as:

SELECT * FROM user WHERE username = ‘john_doe’ and password = ‘foo’ or true or ”

Which would effectively grant the attacker access to that users account without knowing the password.

The simple solution to this is to “escape” values before inserting into the SQL query. This adds black-slashes to the variables before any quote characters (Along with a few other special characters) to prevent the value from being interpreted as code by the SQL engine.

i.e. $password = mysql_real_escape_string( $password );

A better solution is to use parameterised queries, such that the value is never actually inserted directly into the SQL:

$sql = “SELECT * FROM users where username = ? and password = ?”
$results = query( $sql, $username, $password );

This sends the query, along with the values of $username and $password, to be added to the query in place of the question marks. As such, these values can never be executed as code by the database.

In my next article, I will be covering the basics of Cross Site Scripting.

Filed Under: Web Application Development, Web Development
About Darryl

I dig helping grow and build profitable online businesses. I'm addicted to coffee, and a Rugby (All Blacks) and AFL tragic. I call Brisbane home and love the sun, beach and smart people. Follow me @ireckon

Speak Your Mind

*

Unit 1B, 50 Logan Road, Woolloongabba, Brisbane, Queensland 4102. Ph: (07) 3391 1488

Terms & Conditions

Copyright 2012 © ireckon pty ltd, all rights reserved. Ireckon® is a registered Trademark of Ireckon Pty Ltd