From: "Marek Kilimajer" <[EMAIL PROTECTED]> > Matt Chatterley wrote: > > In addition to protecting against SQL Injection, has anyone here > > experimented with detecting and recording attempts at injection? > > > > I've been pondering checking strings which come directly from user input for > > sql keywords (and possibly using regexps to check for potential SQL Syntax > > fragments), but before I begin, I thought asking would benefit me, if > > someone with more experience has already tried this... > > This might be an interesting social study :-)
It's been mentioned here before, but a good idea is to log any kind of validation errors that you get from user data. That should catch general mistakes and attempts at cross site scripting / SQL injection, depending upon your validation. The real usefulness comes from using those logs to identify areas that are "difficult" for your regular users to complete. If you're constantly ending up with validation errors in a date field, then it must not be clear what formats you accept or maybe you need to accept more formats. Same thing with text in a number field, and vice-versa. Use the validation logs to determine how effective your site/forms/etc are. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
