MySQL Injections: What Are They, How to Prevent Them

Posted by Webmaster - July 21, 2012 - Blog - No Comments

MySQL injections are a common way for attackers to break into eCommerce systems. Generally MySQL injections take advantage of mistakes made by the programmer, which allows the attacker to subsequently access and manipulate data and have commands be executed on the server.

Here’s a brief description of how MySQL injections work and what you can do to prevent them.

==> What Is a MySQL Injection?

When you store data in a MySQL database, you use MySQL queries to manipulate that database. A MySQL injection takes advantage of insecure code to “inject” code into a pre-existing command and have their command executed instead.

This is often done using the single-quote character (‘). In MySQL, the single quote character can be used to end a query. By entering that character in a field that feeds into a MySQL database, the attacker can cause your database to think your official command has ended. They can then add their own command to be injected instead.

In reality, it’s slightly more complex, but the bottom line is the same: an outsider can use your existing HTML and PHP fields that pass data to MySQL to inject their own commands.

==> How Can You Prevent MySQL Injections?

First, you should have code on your page that verifies whether or not the content of a text field is what it’s supposed to be.

For example, if someone enters a single-quote character in the name field, your script should automatically detect it and not allow that command to be sent to the MySQL database.

Writing these kinds of verification into your pages should be an integral part of writing any kind of website code. Whether or not it’s actually written depends on the programmer you hired. That’s why it’s so crucial for website security that you hire a programmer who really knows what they’re doing.

==> Intrusion Detection

Your server should be set up so that it automatically detects unusual database calls.

If a normal user suddenly starts calling up other people’s credit card numbers, you should get a big alert. Through MySQL injections, this is very possible – in fact, it happened to, one of the largest pet stores on the internet.

You can set up your server to automatically ban that user, or just send a big red flag to your tech team for investigation immediately.

==> Working with Ethical Hacks

If you’re not feeling very confident in your own server security, one way to test it out is to work with ethical hacks.

Ethical hacks will probe your forms, code and databases for vulnerabilities. They’ll try to hack your site, not to gain access, but to report potential vulnerabilities back to you.

Preventing MySQL injections requires constant vigilance in your code, as well as fast reactions should an injection be detected. Though good coding habits can protect you against most attacks, it’s still entirely possibly that one small mistake could leave holes open in your security.