xpresszine|xpress magazine

SQL Injection is a technique that exploits a security vulnerability at the database layer of an application. It is a special way of crafting or designing an input string such that the user gets control over the database.

For eg: Mostly all database related statements would look similar to:
SELECT * FROM EMPLOYEE WHERE EMP_ID = ' + $emp_id + ' AND PASSWD = ' + $passwd + ';

Imagine if an user inputs the passwrod string like
e' or 'e'='e

then the query would become
SELECT * FROM EMPLOYEE WHERE EMP_ID = ' + $emp_id + ' AND PASSWD = 'e' OR 'e'='e';

This would always evaluate to true and would grant the user access to the whole data.
A notorius user can even write multiple query lines to say Drop Table etc.

Two Steps to tackle this situation:
1. Limit Permissions:
The DB administrator should create different users depending on the kind of action performed, and appropriate credentials with least priviledges necessary for a task to be performed should be used. This could prevent most attacks but not all.

2. Clean the Input String:
PHP team has already released a function "mysql_real_escape_string()" to tackle this situation. This function replaces the (‘) with a (\’) and thus would not allow the attack.
So all you have to do is:
$passwd = mysql_real_escape_string($passwd);

Now the query would become:
SELECT * FROM EMPLOYEE WHERE EMP_ID = ' + $emp_id + ' AND PASSWD = 'e\' OR \'e\'=\'e';

Hope this helps!!!