Signs that the SQL statement is dangerous

Question

Signs that the SQL statement is dangerous

I want to create a function in PHP that checks how dangerous an SQL statement is. When I say “dangerous,” I mean some characters, characters, or strings that are used to get data from a database that the user should not see.

For instance:

SELECT * FROM users WHERE userId = '1'

can be entered in several ways. Although I clear the parameters, I also want to keep track of how secure the request to run is.

Thanks in advance

+5

security php sql-injection

phpNutt May 07, '10 at 22:34

source share

5 answers

sql sql-.

+1

derek 07 '10 22:41

wump · Answer 1 · 2010-05-07T22:38:38+0000

, . ( ) , SQL- , , .

. PHP: http://mattbango.com/notebook/web-development/prepared-statements-in-php-and-mysqli/

, , , MySQL, .

rook · Answer 2 · 2010-05-08T05:24:55+0000

, Parametrized Queries - . php/mysql mysql_query(), - - SQL-.

Suhosin Hardened PHP LAMP " SQL-" , , . - (WAF), , SQL- HTTP-. WAF PCI-DSS, , .

GreenSQL, , -. , SQL - , , . , secuirty , . WAF , GreenSQL, , , . , , , .

bobince · Answer 3 · 2010-05-07T23:26:39+0000

"" . . - "O'Reilly" ?

SQL, , SQL. "" - : .

SQL, - , , , . , SELECT * , , .

Troy hunt · Answer 4 · 2010-05-11T21:56:13+0000

, :

. , .
SQL .
Protect the data layer as long as you can, applying the principle of minimal privilege and restriction of public access to absolutely necessary functions, i.e. not allowing write access to many tables.

You may find this helpful: OWASP Top 10 for .NET Developers Part 1: Injection

It is written for .NET developers, but the principles are passed along with PHP.

Signs that the SQL statement is dangerous

More articles: