One can attack a database by it's own logical behaviour like prevent it
to work efficiently. A database uses indices to speed up searches with
a normal a-z LIKE search. But one can break out that logical routine by
adding special characters into the search field by using: % _ and
combinations of it: %_abc _%abc etc. The bigger the table the slower it
becomes.
The value in the LIKE operator is never escaped by PHP or MySql and
thereby poses a threat. To prevent attacks, you must write your own
function for it. You can strip out characters, or write a regex to
match only a-z. This must be done before you pass it into
mysql_real_escape_string or any other native escaping function because
the database will ignore the mysql_real_escape_string for the value of
the LIKE operator.
Below some examples:
Normal query:
$search = "abc";
$sql = "SELECT * FROM blog WHERE comment LIKE '$search%'";
Exploited query:
$search = "_abc";
$sql = "SELECT * FROM blog WHERE comment LIKE '$search%'";
