WebApp Sec mailing list archives
RE: PHP for preventing SQL injections?
From: SLefevre () i-m-i-international com (Lefevre, Steven)
Date: Wed, 17 Sep 2003 13:31:58 -0400
OK, here's another question: We are developing a web database application for use with suppliers, some of whom are overseas. We wouldn't put it past them to try to hack into each other's data. Therefore, I would like to become aware of any SQL injection attempt. I was thinking of making a function that checked for injection attempts, and then if it returned a false, I would get a warning. Otherwise, it strips bad characters, etc. and executes the query. So basically, I would like to know *for certain* if there's been an SQL injection, so I can "follow up" with the user. But then, if it's just a user putting in stupid data, stripping it and running the query would be fine. Something obvious that I could check for would be "; [SQL KEYWORD]", but I know that doesn't cover all scenarios. Is it possible to make a code that can distinguish between an injection attempt and stupid-user data? What do you think? Steve
Current thread:
- PHP for preventing SQL injections? Lefevre, Steven (Sep 16)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
- Re: PHP for preventing SQL injections? wilfrid (Sep 17)
- Re: PHP for preventing SQL injections? cipherz (Sep 17)
- Re: PHP for preventing SQL injections? Harry M (Sep 18)
- Re: PHP for preventing SQL injections? wilfrid (Sep 17)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
- Re: PHP for preventing SQL injections? weigelt (Sep 16)
- Re: PHP for preventing SQL injections? David Bernick (Sep 18)
- <Possible follow-ups>
- RE: PHP for preventing SQL injections? latte (Sep 16)
- Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
- RE: PHP for preventing SQL injections? Lefevre, Steven (Sep 17)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 18)
- Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
- Re: PHP for preventing SQL injections? Gavin Zuchlinski (Sep 17)