Ever wondered how a hacker can get unauthorized access to websites? In easy words, by exploiting vulnerabilities. And guess what, it’s you, the programmer, who creates these vulnerabilities and overall making it easier for any bad guy to hack into your website. Now this may sound ridiculous that how the programmer can be at fault, after all he’s the person burning candle from both the ends.
You probably heard this term earlier is your website safe from SQL Injections? This is probably the least effort consuming way of hacking into any poorly coded website and of course, tons of websites (especially small businesses’) are vulnerable to SQL injection. Imagine you are on the login page of our dummy website, a normal user will input his username and the password for it, and if they match, the user will be logged in. However, what if instead of a normal user, a bad guy comes up and he inputs some cryptic strings, guess what, he will get logged into the ﬁrst account that’s present in the database, which generally is of an administrator.
What actually happened over here is that the cryptic string altered the behavior of your SQL commands. In any code, ‘terminators’ play important role and that cryptic string, consisting of numbers and conditions, basically tricked the program. So, if our MySQL query was something like:
SELECT id FROM users WHERE username = $user-name AND password = $pwd;
And the bad guy puts username as “1 OR 1 = 1; —” and submits the form. This will actually convert our MySQL statement to SELECT id FROM users WHERE username = 1 OR 1 = 1; — AND password = any_random_text; Which will get the user logged into someone’s account without even knowing the password. (Double dashes above stands for comment in SQL).
To overcome such vulnerabilities, you should use “mysql_real_ escape_string()” function (for PHP version < 5.0) or start using ‘mysqli’ (for PHP version >5.0). Both of them will ﬁlter out the unwanted characters and no longer could the bad guy exploit your site.
With this practice you have actually made your website much more secure and are assured to keep script kiddies at bay. And wait, there still lies a lot of undiscovered vulnerabilities that keep popping out every day thus making none of the systems secure enough.
So keep an eye on the TechLinu Cyber Security section and also efﬁciently improve your code wherever possible 🙂