You can block this by using ENCRYPTION.
For PHP users, i recommend to use MD5 encryption, advantage is that md5 is a one way encryption which is hard for hackers to decode and already available via PHP syntax MD5(var)=MD5(var).
Usually, SQL injection are injected on the login page by typing SQL statement on either username or password.. to do this, they just have to type in SQL like this.. "test' or 1=1 or ''='".
Without using MD5 or any other encryption in your sql statement to validate the credentials, access to the site will be allowed.. this is because hackers knows how to manipulate SQL and by just using "OR" on SQL statement, access will be allowed. hackers expected that you will do a normal SQL statement to validate credentials, and by entering SQL statement "test' or 1=1 or ''='" will usually result into this SQL "select 1 from table_name where username='test' or 1=1 or ''=''".
To prevent this from happening, you can use md5 or any other encryption. encrypt all the input parameters when passing to SQL statement for validation, and of course, encrypt the field name equated to the username and password to validate either valid or not. by doing that, your site will be safe for injection that is because there's no way that hackers can form as SQL statement out of encrypted parameters, especially if your encryption is MD5.
To explain further, your SQL statement at the back will be something like this.. "select 1 from table_name where md5(username)=md5('test\' or 1=1 or \'\'=\'').." in which by this time, will not be allowed and problem solved.
Hope this help.
No comments:
Post a Comment