|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: PHP for preventing SQL injections?
From: Lefevre, Steven (SLefevre
i-m-i-international.com)
Date: Wed Sep 17 2003 - 12:31:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
OK, here's another question:
We are developing a web database application for use with suppliers, some
of whom are overseas. We wouldn't put it past them to try to hack into each
other's data. Therefore, I would like to become aware of any SQL injection
attempt.
I was thinking of making a function that checked for injection attempts, and
then if it returned a false, I would get a warning. Otherwise, it strips bad
characters, etc. and executes the query.
So basically, I would like to know *for certain* if there's been an SQL
injection, so I can "follow up" with the user. But then, if it's just a user
putting in stupid data, stripping it and running the query would be fine.
Something obvious that I could check for would be "; [SQL KEYWORD]", but I
know that doesn't cover all scenarios. Is it possible to make a code that
can distinguish between an injection attempt and stupid-user data?
What do you think?
Steve
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]