There are some really crappy SQL injection tutorials out on the net that don't really tell you what you need to know nor how to fix vulnerabilities. The main thing to remember when preventing SQL injections is to cleanse HTML tags and quotes from untrusted user input. And of course, depending on which language you're using there will be a different method for doing that.
Most tutorials show you the basic method of finding if a site or form is vulnerable, the old ' or 1=1-- trick which should return the first record in the database. This is fine and dandy but quite useless if you don't know what to do after that. The most important part of SQL injection is SQL, obviously, and if you don't know SQL you're not going to get very far. I'm not going to teach you SQL here, but I will tell you that the Uncommon SQL Injection whitepaper by N3T D3VIL is a good place to start learning about SQL queries you might find useful.
Now I'll tell you how to sanitize your inputs with PHP. Anywhere your users can enter data should be sanitized, including login forms, registration forms, and comment forms. Basically any form that talks to a database should be sanitized.
PHP comes standard with functions to do this, htmlentities(), and addslashes(). htmlentities() changes and special characters to the html equivalent. Say if someone entered a <SCRIPT> tag into a comment form, your sanitization code would turn it into <SCRIPT>. addslashes() adds slashes behind any quotes to escape those quotes before they can be used to hijack your SQL queries on the backend. These are good basic practices when using forms on a public website that can accept untrusted user data that speaks to a database.
While this is enough for some people, some people like to go a step further and limit the characters used to a specific set and feed any user input through a function to strip any characters that are not part of that set. This tutorial over at Nucleotide shows you how to use Regular Expressions to do just that. This would be perfect for login and registration forms and if you didn't care about letting users create anchor links on comments, it'd work there too.
If you DO want to allow users to create links on comments, you should think about implementing a WYSIWYG editor into your comment forms. The industry standard at this point is TinyMCE and it works really well. It is the default on many content management systems and blog platforms. If for some reason you don't like TinyMCE, there are several other solutions that a quick Google search with turn up.
Whether you're coding for yourself or a client, you should always use safe coding practices. If not for financial liability reasons, then just for not having the headache of restoring everything when a hacker destroys your data.
Must be logged in to post comments