On Thu, August 3, 2006 2:32 am, Peter Lauri wrote: > Is there anyone in this group that has a simple script to check for > SQL > injection attacks? http://php.net/mysql_real_escape_string should cover this, no? Another option is to use a query mechanism based on prepared statements rather than raw queries, because then MySQL *knows* what is data and what is not data. > In the theory I was thinking about to check $_POST and $_GET if they > contain > specific "substrings" that could be used in an attempt. Maybe to loop > thru > all set values and see if they contain "DELETE FROM" or "TRUNCATE" or > similar. This is a Bad Idea because you could never possibly compose a complete list of all such substrings. > I am aware of that I can create different db-users to restrict this, > but in > some hosting cases I only have access to one db-user. I also always > use > sprintf() so make sure integers etc are used where I expect integers. sprintf() to force an int is wasteful... $foo = (int) $_REQUEST['foo']; -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
