I thought i would write a tutorial on SQL injections and just how easily they can effect programmers who don't project their code. This is mainly for people who are new to programming and taking into account the security of the databases you use i find is very important.
What is it?
SQL injections are ways for a hacker to break your code and be able to crack into your databases and get more information then you wanted people to.
How do they do it?
If say you have a user login system and a hacker comes along. He can type the following into the username box or the password box:
// user input that uses SQL Injection
$name_bad = $_POST["username"]; // they enter 'OR 1=1
//inturn the SQL query below will look like the following
$query_bad = "SELECT * FROM members WHERE username = ''OR 1=1";
The query above will always return true, by using a single quote (') they have ended the string part of our MySQL query.So every single entry in the "members" table would be selected by this statement!
This can cause some big problems if your web host hasn't protected their MySQL on their side to stop this, some of them do. If you find they haven't the good ppl of PHP knew about this problem and proved a nice function called mysql_real_escape_string();
we use that function to prevent the MySQL injection.