I understand some ways are better than others in this one, and it
looks like the PDO based implementations shine the most as far as SQL

But would not the following be good enough - without implementing a
PDO solution?

1- get the user input
2- for each input, deliberately enforce a data type ( that is
date/string/integer ) and validate it.
3- for each input, deliberately enforce a data length ( for strings
data length and for integer a valid range for example )
4- check the magic_quotes_gpc and do the stripslashes and then the
mysqli_real_escape_string() and the htmlentities.
5- and on top pf all this, I also check for the specific occurrences
of these following words; if any exist, I just do not execute that SQL
   and that list is

6- I also count the number of "0x" occurrences, if the user input
contains more than 2 of "0x", again I do not execute that command.

With all these in place, I don't know of a way that a userinput can
still make it thru.

These may raise a false negative on some valid user input that's
coming from a textarea where the data type is string, and an accepted
char length is big enough to create some havoc in the db, so be it, I
reject that input.

My question even after all these are there still ways to break in?

All the aboce can be easily tucked in a function which does a data
validation something like

VallidateUserInput ( $_GET['first_name'], "varchar(100)",Please supply
a first name that is less than 100 characters");
VallidateUserInput ( $_GET['age'], "smallint",Please supply an age
that is between 1-20")

Your insight is greatly appreciated on this.

I also read somewhere that mysql does NOT allow statement chaining.
So, that's even better.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to