WebApp Sec mailing list archives

RE: PHP for preventing SQL injections?

From: SLefevre () i-m-i-international com (Lefevre, Steven)
Date: Wed, 17 Sep 2003 13:31:58 -0400

OK, here's another question:

 We are developing a web database application for use with suppliers, some
of whom are overseas. We wouldn't put it past them to try to hack into each
other's data. Therefore, I would like to become aware of any SQL injection
attempt.

I was thinking of making a function that checked for injection attempts, and
then if it returned a false, I would get a warning. Otherwise, it strips bad
characters, etc. and executes the query.

So basically, I would like to know *for certain* if there's been an SQL
injection, so I can "follow up" with the user. But then, if it's just a user
putting in stupid data, stripping it and running the query would be fine.

Something obvious that I could check for would be "; [SQL KEYWORD]", but I
know that doesn't cover all scenarios. Is it possible to make a code that
can distinguish between an injection attempt and stupid-user data?

What do you think?

Steve

Current thread:

PHP for preventing SQL injections? Lefevre, Steven (Sep 16)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
  - Re: PHP for preventing SQL injections? wilfrid (Sep 17)
    - Re: PHP for preventing SQL injections? cipherz (Sep 17)
    - Re: PHP for preventing SQL injections? Harry M (Sep 18)
- Re: PHP for preventing SQL injections? weigelt (Sep 16)
- Re: PHP for preventing SQL injections? David Bernick (Sep 18)
- <Possible follow-ups>
- RE: PHP for preventing SQL injections? latte (Sep 16)
  - Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
    - RE: PHP for preventing SQL injections? Lefevre, Steven (Sep 17)
    - Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 18)
- RE: PHP for preventing SQL injections? latte (Sep 16)
  - Re: PHP for preventing SQL injections? Gavin Zuchlinski (Sep 17)