|Subject:||The routine to find the sql injections is too simple.|
|Summary:||Package rating comment|
Skulkan rated this package as follows:
|The routine to find the sql injections is too simple. For example string "I become from Itali" is sql injection but it contains only one dangerous word! Maybe it should searching somethink more, like couple of words "select + from" or "insert + into", or even somethinc more complex? I think the idea of this class is good.|
|2010-04-06 13:34:03 - In reply to message 1 from Skulkan|
|Thanks Skulkan for your feedback.|
Yes the Sqli routine is too simple making this script very strict for english sites, for my sites that were in Portuguese i had no problems and that was the reason this wasnt a issue.
The classification of being a malicious atack have to permit words like "I become from Itali" but block things like "select something from italy".
The script is blocking the request if any bad word is found, now i see that the best way is to block couple of words that connected make a Sql injection. In theory is easy, but the really problem is blocking *ALL* sql injections atacks including the most exotic ones.
Making diferent routines for GET and POST request is another ideia i have thinked in the past, passing things like "I become from Itali" in a GET post is a bit strange (normaly identifiers/numbers or one word is passed in each GET var) and probably should be blocked, the problem is with a POST var with a sentence like "I become from Itali" that should'nt be blocked.
The routine have to be changed to handle those issues in the next script version.