SQL injection, insertion | HostGator Support
  1. Knowledge Base
  2. >
  3. Results
  4. >
  5. SQL injection, insertion

SQL injection, insertion

 

SQL injection is an attack where malicious code is passed to an SQL Server for execution. The attack can result in unauthorized access to confidential data or the destruction of critical data.

Before reading the methods below, realize that this should only be a concern for PHP developers and the like. If you use a database-driven program (e.g., WordPress, Joomla, OSCommerce), you need to upgrade your programs to the latest version.

Methods to prevent SQL Injection

Escaping

One way to prevent injections is to escape dangerous characters (i.e., backslash, apostrophe, and semicolon). In PHP, it is typical to run the input using the function mysql_real_escape_string before sending the SQL query. Example:

$Uname = mysql_real_escape_string($Uname);
$Pword = mysql_real_escape_string($Pword);
$query = "SELECT * FROM Users where UserName='$Uname' and Password='$Pword'";
mysql_query($query); 

Parameterized Statements

A parameterized query uses placeholders for the input, and the parameter values are supplied at execution time.

$params = array($Uname, $Pword);
$sql = 'INSERT INTO Users (UserName, Password) VALUES (?, ?)';
$query = sqlsrv_query($connection, $sql, $params); 

Advanced:

There are multiple choices in PHP version 5 and above for using parameterized statements; the PDO database layer is one. There are also vendor-specific methods; for example, MySQL 4.1 + used with the mysqli extension.


Additional Precautions

Scanning for Vulnerabilities

HostGator now offers SiteLock, which performs forward- and backward-looking scans to make sure current and future visitor/customer data are secure on your website.

SiteLock is your cyber sentry! Block the bad guys and be a security superhero! SiteLock provides automated malware removal, protects your brand's reputation, and defends your site from malicious attacks. Take advantage of these incredible features now!

For SiteLock subscribers, our patent-pending 360-degree scan technology tests each input box on your website to ensure that they are not vulnerable to this type of attack. We verify the safety of each input box on your website by inserting code in the way hackers would. We do not read or collect any data, however. We use safe test procedures and code, and if we discover a vulnerability in our testing, we report it to you immediately. Our Expert Services team can also help you remove these issues from your site.

Find out more here: