incrediBILL - 1:35 am on Dec 7, 2011 (gmt 0)

Can anyone assist on how to prevent this sql injection.

If engineers built buildings like sites are programmed on the internet a single woodpecker
could completely destroy civilization.

Writing secure code isn't rocket science, it's a discipline.

Just a few extra lines of code will keep your site pretty safe and it doesn't take thousands of dollars to secure an input field.

First, truncate the length of any input submitted to your query to something reasonable like 128 characters perhaps, maybe even as low as 64. I would simply reject anything over 128 characters, bounce it, problem solved for this injection. Now, with a limited input field of 128 characters, if you don't find any word breaks in those 128 characters like multiple spaces, periods or commas, reject it. Several common sense techniques will stop those encoded injections dead in their tracks.

Also, if you're using PHP parse your input through strip_tags () [php.net] which rips some nonsense HTML out of input and avoids XSS garbage as well.

See, didn't take thousands of dollars, just need to know what you're doing.

He might not be able to pay thousands of dollars to secure it correctly, but I think he should still be allowed to compete in the marketplace.

True.

He also shouldn't whine when his incompetence results in his site getting hacked, all his customer credit card data is exported, and Visa fines his business up to $500K per incident [usa.visa.com] and he looses his house and car paying massive fines, and in some states may face some possible jail time.


Nothing wrong with being able to compete, nope.

You can program your way out of a wet bag, but can't have all possible UI leaks detected, there's way too many points of entry, and for any small company it is commonly cost prohibitive.

I don't buy it.

I have one input sanitizing subroutine.

All that passes is text, no special characters that can be used in scripts and code, just text, text with word breaks so it can't be long encoded strings. The filtered input is so sanitary you could eat off of it.

If they can hack my site by finding a hole in my input sanitizer I'll gladly give them a lollipop.