Login   Register  
PHP Classes
elePHPant
Icontem

The routine to find the sql injections is too simple.

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us

      PHProtector  >  All threads  >  The routine to find the sql injections is too simple.  >  (Un) Subscribe thread alerts  
Subject:The routine to find the sql injections is too simple.
Summary:Package rating comment
Messages:2
Author:Skulkan
Date:2010-04-06 07:40:20
Update:2010-04-06 13:34:03
 

Skulkan rated this package as follows:

Utility: Insufficient
Consistency: Good
Documentation: Sufficient
Examples: Good

  1. The routine to find the sql injections is too simple.   Reply  
Picture of Skulkan
Skulkan
2010-04-06 07:40:20
The routine to find the sql injections is too simple. For example string "I become from Itali" is sql injection but it contains only one dangerous word! Maybe it should searching somethink more, like couple of words "select + from" or "insert + into", or even somethinc more complex? I think the idea of this class is good.

  2. Re: The routine to find the sql injections is too simple.   Reply  
Picture of Hugo Sousa
Hugo Sousa
2010-04-06 13:34:03 - In reply to message 1 from Skulkan
Thanks Skulkan for your feedback.
Yes the Sqli routine is too simple making this script very strict for english sites, for my sites that were in Portuguese i had no problems and that was the reason this wasnt a issue.

The classification of being a malicious atack have to permit words like "I become from Itali" but block things like "select something from italy".
The script is blocking the request if any bad word is found, now i see that the best way is to block couple of words that connected make a Sql injection. In theory is easy, but the really problem is blocking *ALL* sql injections atacks including the most exotic ones.

Making diferent routines for GET and POST request is another ideia i have thinked in the past, passing things like "I become from Itali" in a GET post is a bit strange (normaly identifiers/numbers or one word is passed in each GET var) and probably should be blocked, the problem is with a POST var with a sentence like "I become from Itali" that should'nt be blocked.

The routine have to be changed to handle those issues in the next script version.