[thelist] Web Database Security (was: how did they hack...)
Simon Coggins
ppxsjc1 at unix.ccc.nottingham.ac.uk
Thu Apr 19 11:29:06 CDT 2001
> Have you looked at server-side regular expressions? I'm not familiar with
> PHP, but this might help (it's for ASP):
> http://dynamic.15seconds.com/Issue/page.asp?Page_Id=306
I thought about using RegExps to check for certain strings but I had a
couple of problems with the idea:
1. It's hard to cover all possiblities - searching for DROP TableName is
no good if they do DELETE FROM TableName and I don't think I know enough
about MySQL to cover all dangerous possibilities.
2. If I just search for TableName I could reject perfectly valid entries
that use that word. e.g. if my table's called Guestbook and someone writes
"Hello, I thought I'd leave a message in your Guestbook..." this would be
rejected.
Regular expressions are useful for other types of validation though -
email validation springs instantly to mind.
Thanks,
Simon
More information about the thelist
mailing list