4.1. Handling Errors Safely
In an ideal world, when you create a form that asks the user to type in his or her first name, you can reasonably expect that he or she will enter something like John or Jane. Unfortunately, you also get users who leave the form blank, type in their address, or simply enter a random string of characters. And those are the benign users. Bad guys enter things into your form for nefarious purposes.
4.1.1. Understanding the dangers
One type of attack is called SQL injection. In this attack, a bad guy assumes that the information collected in a form is going to be used in an SQL query and executed against your database. The attacker types characters into your form field that can cause you problems when used in a query.
For example, the attacker might enter something like John; drop%20table%20users. If your application is set up to enter users' names into the database, your SQL query would look something like
INSERT INTO users VALUES (John; drop table users);
Depending on your server configuration, the server might read that query and merrily go about dropping the users table from your database. It might complain about the syntax a little, but if you have a loose database configuration, it will do exactly what that line of code tells it to: Add "John" to the users table, and then drop the table named users. Not good.
|
Get PHP & MySQL® Web Development All-in-One Desk Reference for Dummies® now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
