- Check form variable with Javascript (user-side script)
- Check again form variable with PHP (server-side script)
- Use of PHP function to change special characters (like htmlentities)

Is there any function or can we create a one like

function isQuery($string)();

we pass it each form variable and it returns either true or false for if the passed string had an SQL Query in it or not.?

Check to make sure the data coming in is valid. You can use things like character classes or the c_type functions.

C-Type
[uk.php.net...]

Use strip_tags() to remove any unecessary HTML code:

[uk.php.net...]

Also, escape everything in your database using:

mysql_real_escape_string()

dc

keep in mind, not everyone uses mysql

you need to understand your database
know your escape characters
know what characters can cause problems

the key to stopping injections is to know what you are trying to stop.

I also don't think that you should clean input. You should decide whether the input given is acceptable or not and bounce it back to the user if it isn't

you can also setup logs
log all data that doesn't validate, make sure that the validation routines you write are doing what they are supposed to and not causing errors due to unforseen exceptions.

<added>I realize I gave sort of partial information

I log everything, success, failure, anything. I don't like deleting anything, I love having full tracks. I like cross referencing my apache logs with db info and validation logs.

all of these help me understand what is happening with a site.

Two things that I always do when accepting variables that are going into my SQL statements:

If the variable is a string, I use $variable = addslashes($variable); and then stripslashes() when pulling the information out of the database.

If the variable is a number (such as a float) I use $variable = floatval($variable). If $variable is an int you can use $variable = intval($variable)... etc...

any Sample SQL injection Input attempt? apart from the login injection mentioned at php.net

More On SQL Injections

[unixwiz.net...]

cheerz!

I also don't think that you should clean input. You should decide whether the input given is acceptable or not and bounce it back to the user if it isn't

Wise advice from a very wise and experienced programmer.

If the input is supposed to be a State/Country/etc., make sure that is what it is.

If it is a phone number, make sure it is a number...

If it is an ISBN, make sure it is an ISBN...

If it is a SKU, make sure it is a SKU...

An email should be an email...

An URL, an URL...

Time, time...
Date, date...

Limit field sizes realistically, and check input to be sure it is under the limit.

There is very little input that is not identifiable by type, value, format, size or structure. Use what is known to screen input before it gets anywhere near a db call routine.

Then clean everything just to be safe :)

WBF

<edit> Don't forget to clamp down permissions to the tightest possible for the application </edit>

jatar_k

the logging sounds very useful. it's something i've wanted to do for a while to trace errors in our shop. what kind of data do you log and how do you log:

is it as simple as opening a file and writing the REMOTE_ADDR, REQUEST_URI, time(), SESSIONID, PRODUCT_ID, etc? or are you using syslog?

cheers

Excellent Words Guys and excellent URL Khaki Monster. Lets let more input coming in Please.

I protect my database by requiring the query to pull a 'secret ID' from the table. This key is a md5 string of several different aspects of the user's personal information and one common phrase of my own. md5 is secure enough that it could never be guessed (I hope). Requiring this key before the database query helps a lot.

logging

it really depends where you log. For forms where the user is already authenticated I use info out of the session to uniquely identify them. For public stuff I just log as much info as I can. You may also want things like user agent as that may affect things.

both syslog and custom logfiles are used

I want all the info from the form. I want all fields that didn't pass and what the input was if there is an error. You can also do all fields and their input on success as well. Understanding what passes is also useful in case you let something through that shouldn't have been.

I don't actually keep the fieldnames, each log has a predetermined order to them so I can cut down on data in the log. Especially with syslog as it is pretty short (256 chars) per line/entry.

syslog is awesome though because of it's fire and forget way of doing things.

I also log auth scripts, knowing when and why people get kicked out is very important.

I got a question concerning SQL injection attacks:

Should we check not only input fields for validity, but also values from drop-down menus (<option value="">), radio buttons etc. Althought usually the possible values are fixed in the <form> itself, the attacker could easily modify the form and change the values, right? So if we expect an integer between 1 and 5 from a drop down menu, should we first check it before trying to insert it into DB?

Absolutely. Don't confuse

<input type="text" />

with input in general. Input is anything that is user-supplied or can be user-supplied. This includes things like $_SERVER['PHP_SELF'] and some other $_SERVER variables as well!

>> Should we check not only input fields for validity, but also values from drop-down menus

check it all

remember I could grab the action from your form, view source to get the form element names and throw together a quick curl script to submit the form.

I could probably figure out what is and isn't validated in a few hundred iterations, shouldn't take more than a minute or two.