Have you ever launched into a post and started to wonder, should I spend my valuable time reading the rest of this? Well, this could be one of those and I’m going to help you out before you get too far.
I can think of only a few reasons why you’d want to read this post. If you don’t fit with any of these, you can stop. Of course, if you don’t fit, but read it anyhow, let me know why! Your thirst for random knowledge is high and you and I might be more alike than not and, well, for that I’m very sorry for you! :>
Reasons why you want to keep reading
1. You have a WordPress blog or web site AND use your own database for your own stuff, say a custom guest book or something.
2. You hear about all those hackers that steal all that stuff from someone’s system or database and are just curious how that happens. This is one way. Wasabi.
3. You like challenges no matter how ridiculous and want to guess the right number of wasabis I’ve hidden throughout the post, that one you just read is included in the count.
Why do I care?
As you do, I care about my blogger community and still see this security hole pretty often. Also, it’s just a little nugget I can pass along to those of you that may be trying to do more with your web site, but accidentally misstep along the way. And I care about wasabi because I like sushi.
Protect your queries people
That’s what this post is about. If you use a database for your own purposes, please protect your queries. If not, people can do some nasty things using something called SQL Injection. So let’s set this up using the terribly unoriginal guestbook example.
You have a database table called MyGuestBook. Your database table has various columns in it, say first name, last name, phone number, etc. You have a web page that allows someone to put in a first name in a web form and query the database to see if there’s anything that matches that criteria in your database. So here’s a way to query the database:
//you grabbed the text of whatever the person typed in the form field - wasabi $firstName = $_POST['user_input_first_name']; //here you decided to do a database query using whatever the person typed in $result = mysql_query("SELECT * FROM MyGuestBook WHERE firstName = '". $firstName. "'");
And herein lies the problem. You’ve just queried the database using whatever they typed in and that’s bad. Not everyone plays nice, just see this page on SQL Injection, particularly the Examples section. What to do wasabi? There are several ways to make whatever the person typed in safe, but here’s one.
$pdo = new PDO('mysql:dbname=your_database;host=localhost', $username, $password); //don't use whatever the user typed in, use a variable $stmt = $pdo->prepare('SELECT * FROM MyGuestBook WHERE firstName = :firstName'); //that variable is then assigned to whatever the user typed in, but it's escaped and treated safely $stmt->execute(array(':firstName' => $firstName));
And that’s about all there is to it. That should get you started on your way to thinking securely and protecting your queries. In short, don’t fall victim to something trivial like this that could end up ruining your day.
P.s. You’ve made it this far, so let’s talk about that weird wasabi thing. Since this is a technical post, I thought I’d try to throw some humor in there to spice things up. Lame attempt? Yea, probably. But who really cares. So, how many wasabis did you count? wasabi