Preventing SQL Injection with PHP
Proper escaping with mysql_escape_string vs mysql_real_escape_string, mysqli and PDO.
June 7th, 2011
In the first game of NYPHP's doubleheader June, we welcome OWASP member and ZCE Anthony Ferrara to speak on the subtle - yet vital - topic of SQL escaping and it's evil cousin, SQL injection. Learn the inescapable ins-and-outs of proper escaping, including when mysql_escape_string() is not enough - plus an exclusive first look at a new attack vector, seen first only at NYPHP.
OWASP (Open Web Application Security Project) lists SQL Injection as the #1 vulnerability risk to web based applications today. In fact, it's estimated that as many as half a million attempted exploites are performed each and every single day. In this talk, we will take a look at SQL Injection with PHP and MySQL, and how to successfully prevent it. We'll look at and demonstrate some known attack vectors. I will also demonstrate a brand new attack vector that's never been seen before, and show how to mitigate it. We will look at the tools that are available to mitigate attacks, and if the tools actually work or not. We'll also take a look at what can be done by both PHP and MySQL to help combat injections from the core.
Anthony Ferrara is a professional PHP developer and Systems Engineer, Zend Certified Engineer and OWASP member. He is a contributor to multiple Open Source projects as well as the community as a whole. He is also a former Core Team Member and Development Coordinator for the Joomla! project, as well as a former leader of its Security team. You can follow his blog at http://blog.ircmaxell.com or on Twitter at @ircmaxell.