Protect Yourself With Wasabi

Have you ever launched into a post and started to wonder, should I spend my valuable time reading the rest of this?  Well, this could be one of those and I’m going to help you out before you get too far.

sql injection

Use your safety goggles when working on your site

I can think of only a few reasons why you’d want to read this post.  If you don’t fit with any of these, you can stop.  Of course, if you don’t fit, but read it anyhow, let me know why!  Your thirst for random knowledge is high and you and I might be more alike than not and, well, for that I’m very sorry for you!  :>

Reasons why you want to keep reading

1. You have a WordPress blog or web site AND use your own database for your own stuff, say a custom guest book or something.

2. You hear about all those hackers that steal all that stuff from someone’s system or database and are just curious how that happens.  This is one way.  Wasabi.

3. You like challenges no matter how ridiculous and want to guess the right number of wasabis I’ve hidden throughout the post, that one you just read is included in the count.

Why do I care?

As you do, I care about my blogger community and still see this security hole pretty often.  Also, it’s just a little nugget I can pass along to those of you that may be trying to do more with your web site, but accidentally misstep along the way.  And I care about wasabi because I like sushi.

Protect your queries people

That’s what this post is about.  If you use a database for your own purposes, please protect your queries.  If not, people can do some nasty things using something called SQL Injection.  So let’s set this up using the terribly unoriginal guestbook example.

You have a database table called MyGuestBook.  Your database table has various columns in it, say first name, last name, phone number, etc.  You have a web page that allows someone to put in a first name in a web form and query the database to see if there’s anything that matches that criteria in your database.  So here’s a way to query the database:

//you grabbed the text of whatever the person typed in the form field - wasabi
$firstName = $_POST['user_input_first_name'];
//here you decided to do a database query using whatever the person typed in
$result = mysql_query("SELECT * FROM MyGuestBook WHERE firstName = '". $firstName. "'");

And herein lies the problem.  You’ve just queried the database using whatever they typed in and that’s bad.  Not everyone plays nice, just see this page on SQL Injection, particularly the Examples section.  What to do wasabi?  There are several ways to make whatever the person typed in safe, but here’s one.

$pdo = new PDO('mysql:dbname=your_database;host=localhost', $username, $password);
//don't use whatever the user typed in, use a variable
$stmt = $pdo->prepare('SELECT * FROM MyGuestBook WHERE firstName = :firstName');
//that variable is then assigned to whatever the user typed in, but it's escaped and treated safely
$stmt->execute(array(':firstName' => $firstName));

And that’s about all there is to it.  That should get you started on your way to thinking securely and protecting your queries.  In short, don’t fall victim to something trivial like this that could end up ruining your day.

P.s. You’ve made it this far, so let’s talk about that weird wasabi thing.  Since this is a technical post, I thought I’d try to throw some humor in there to spice things up.  Lame attempt?  Yea, probably.  But who really cares.  So, how many wasabis did you count? wasabi

About these ads
Leave a comment

8 Comments

  1. Thanks for the wasabi! We really have to be keen on that aspect.

    Reply
  2. Maybe it’s just my sleep-deprived brain, but I have no idea what I just read or why it’s important. But you’ve gotten me curious enough to want to read other posts you’ve written.

    Reply
    • Hahaha, no way, it’s not you! I am sleep-deprived right now, at least it feels like that, so I hear ya. But no, it’s not you. It either made sense or it didn’t…that’s one risk I take when I push out technical posts like that to help the reader community out. Some make sense, some don’t. So don’t worry! :> Thanks for stopping by!

      Reply
  3. interesting way of writing you have got here…got me really hooked :)

    Reply
  4. I need to read this again after I get slep without breastfeeding. I don’t like wassibi

    Reply
  5. Oh by the way, the official answer is 9!

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 681 other followers

%d bloggers like this: