Hi, Yonatan Ben-Nes wrote: > Hi all, > > I'm currently trying to build a defence against SQL INJECTION, after > reading some material on it I arrived to few possible solutions and I > would like to know if anyone can comment anything about them or maybe > add a solution of its own: [...] If you're running PHP on an Apache server check mod_security, you'll have to tune a little bit it's default ruleset, but it does a great job for me. It will not protect you against tricks like 'chr(39)' (single quote) or funnier 'cH%52(123-84)' unless you write specific rules. It inspect both GET an POST payloads, performs unescaping and lots of other cool things (protection agains shell command injection)... Be warned, it has some side effects, as it will kick you off if you try to publish SQL code on your site even if your code isn't malicious or sentences that may look like sql (delete from something)... As suggested, parameters validation is required, regexps are great for this job and are easy to learn (do it you'll see). Do the validation in your PHP before sending the query to your server (do not rely only on checking inside stored procedures as the injection can take place before the actual checking) HTH, -- MaXX ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings
