Menu - Option Selects

As the hackers enter your Web using injeccion SQL

As the hackers enter your Web using injeccion SQL

Injection SQL is one of the vulnerabilities of security, more common on the Webs. Here tratarémos to in detail explain this class of vulnerabilities with the examples of bugs in PHP and possible solutions.

Inyeccion_sql

If you do not handle so much in technology and programming languages of Web you can ask yourself that it is SQL; well, they are the abbreviations of Structured Query Language. “de facto? it is the standard language to have access and data manipulation/data bases.

Nowadays most of websites trust a data base (generally MySQL) to store and to have access to data.

Our example will be a common form of login. The internauts see forms of login every day, you put his username and password in the formuylario and soon the servant verifies the credentials that you provided. Well, is this simple, but what happens exactly over the servant when he verifies his credentials?

The client (or the user) sends to servant two data, the user and the password.

Generally the servant will have a data base with one tabloa where the data of the user are stored. This table has at least two fields/columns, one to store the user and one for the password. When the servant receives the user and the password he will ask the data base to see if the provided credentials are valid. He will use a declaration SQL for which he can look oneself like this:
SELECT * FROM users WHERE username='SUPPLIED_USER' AND password='SUPPLIED_PASS'

For that they do not estan familiarized with language SQL, in SQL the character ‘is used as a delimiter for chain variables. Here we used it to delimit the username and the password provided by the user.

In this example we see that the user and the provided password are inserted in the sentence between ‘and the whole sentence then is executed by the basic motor of data. If the question gives back any row, then the provided credentials are valid (that the user exists in the data base and has the password that was provided).

Now, what happens if a user writes ‘a character in the field of password or the user? Well, by putting only’ in the username field and living the field on password in target, the sentence would become:
SELECT * FROM users WHERE username=? ‘AND password=?

This would bring about an error, since the basic motor of data would consider the end of the chain in the second ‘and soon this would bring about an error of analysis in the third’ character. It goes to now that it would happen if we sent these input data:
Username: ‘OR ‘a’ =’ a
Password: ‘OR ‘a’ =’ a

The consultation would be thus:
SELECT * FROM users WHERE username=? OR ‘a’ = ' a' AND password=? OR ‘a’ = ' a'

As a always the same to a, this sentence he will give back all the rows of the table users and the servant “will think? that we provided it of valid credentials and to let enter --> injection SQL has been successful.

We are not going to give many but tracks of how to realise injections SQL, but many exist and varied forms to obtain key users/of a basic system of data. In order to avoid possible injections of code, he is always advisable encriptar the information, thus avoiding that it is possible to deceive our system, and also to avoid the possible reading of the chains of communication on the part of a hacker.

In bekkos Services Web, we arrange of firewall Web that it protiles of the basic attacks, and always recommended the use of a certificate SSL, although it is a basic certificate. If you are using our vps hosting ddos protection everything will be protected and will be better. Not only that, using cheap vps cloud hosting has also proved that it is very satisfying. You can also choose our other plans, such as web hosting with unlimited storage especially when you need a large amount of storage to keep everything. But, there is also another option, which is by using our affordable dedicated server which not only is affordable, but is very private because your website is the only one that is hosted by a particular server.

In bekkos we have certificates SSL to very economic prices from 18€/año consults: Certificates SSL - https://compuprint.net/hosting/certificados-ssl

Monthly promotion - Amazon

Of the hand of CompuPrint, we offer to you you complete supplies and discounts in Amazon

Kitchen mhelp in the button TO OBTAIN PROMOS to have the best discounts in technology. You do not let them escape, are per limited time and with a discount special offered by bekkos, already including in the price.

To obtain Promos Amazon

Our Hosting Soporta

Html5
Data bases Mysql
PHP 5x, JS, Java and .NET
Java
Jquery
Phyton

Scroll

  Remember to me

or   To create an account


To remember password? |  To remember usuary?
It does login with the credentials of user received by email, when you registered yourself. If he does not remember his user or password beats to remember password or user according to corresponds.

If he does not have user, he can register itself now beating in Creating Account or to do it ahead but.

×


Register now



  To register   or
Login