Re: PHP for preventing SQL injections?

["Sverre H. Huseby" <shh () thathost com>]

[Lefevre, Steven]

|   Is it possible to make a code that can distinguish between an
|   injection attempt and stupid-user data?

The first thing you could do, is to categorize all input in two
distinct classes: User-generated and server-generated.

User-generated input is what the user is supposed to enter into
textual fields: Input tags of types text or password, and textareas.

Server-generated input is all the rest: Values from option lists,
checkboxes, hidden fields, cookies, URL-parameters that came from
anchor tags and so on.  Every input that is supposed to just be
returned by the browser in a well-defined format.

User-generated input may contain all kinds of stupid typing mistakes.
It may be hard to detect intrusion attempts, at least to be 100% sure
a user is trying to do something nasty.  You will, of course, have to
check that user-generated input matches your rules for every input
field, but in general you can't accuse the user of anything.  Just
inform him that he should modify the input according to your rules.

Server-generated input, on the other hand, should always be
well-defined.  If it doesn't match what you expect, the user has
tampered with data that are normally outside his reach (hidden in the
HTML or in some HTTP header).  I like to log such tampering as a
possible break-in attempt, and have a log monitor inform me of it.  I
also like to say "shame on you, I've logged this" to the user. :-)

I think most web applications have much more server-generated than
user-generated input, so by detecting tampering on server-generated
input, you will detect much of the possible tampering.  (It may be a
good idea to log malformed user-generated input too, but you will
probably have many false positives.)


Sverre.  

-- 
shh () thathost com
http://shh.thathost.com/