Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: PHP for preventing SQL injections?
From: Lefevre, Steven (SLefevrei-m-i-international.com)
Date: Wed Sep 17 2003 - 12:31:58 CDT
OK, here's another question:
We are developing a web database application for use with suppliers, some
of whom are overseas. We wouldn't put it past them to try to hack into each
other's data. Therefore, I would like to become aware of any SQL injection
I was thinking of making a function that checked for injection attempts, and
then if it returned a false, I would get a warning. Otherwise, it strips bad
characters, etc. and executes the query.
So basically, I would like to know *for certain* if there's been an SQL
injection, so I can "follow up" with the user. But then, if it's just a user
putting in stupid data, stripping it and running the query would be fine.
Something obvious that I could check for would be "; [SQL KEYWORD]", but I
know that doesn't cover all scenarios. Is it possible to make a code that
can distinguish between an injection attempt and stupid-user data?
What do you think?