I have a website that stores/retrieves much of its data from a MySQL backend. There are a handful of forms on the site where users can enter data (a comments page, a FAQ page, etc.) that gets stored in the database. It recently occurred to me that there could be a security hole in my implementation of this.
At the moment, the text that is entered into a field would be built directly into an INSERT statement and executed on the database. Assuming all anyone enters is plain english text, that's no big deal. But is it possible to inject code in this manner and do malicious things to the database?
Currently, all such user input forms are for string data, so the INSERT/UPDATE statements always wrap it in quotes. I would think that would be enough to tell the server that it's all just plain text, and not to do anything else with it. But I guess making any assumption on the matter without asking experts would be unwise.
Is there a danger here that I should be aware of? What are the common, effective measures taken by others to prevent such an attack?
Regards,
David P. Donahue
ddonahue@ccs.neu.edu