[thelist] making text boxes more secure

Nan Harbison nansmith at heritageconcord.org
Fri Sep 19 11:38:58 CDT 2003


Rudy and everyone,

Wow, I was not aware of SQL injection. I did some research
and some thinking, and I added some layers of protection
to my db server. First, the user name and password are
filled out and submitted, and are passed to a page where
this code strips bad stuff (there is one predefined
username and password, they are not retrieved from a
database, so there is no connection to a db on this page):


$Array[username] = strtolower($Array[username]);
$username = stripslashes($Array[username]);
$username = ereg_replace ("'", "", $username);
$username = ereg_replace (";", "", $username);
$username = ereg_replace ("select", "", $username);
$username = ereg_replace ("insert", "", $username);

//printing out the variables while testing these lines of
code
print($username."<br><br>");

$Array[password] = strtolower($Array[password]);
$password = stripslashes($Array[password]);
$password = ereg_replace ("'", "", $password);
$password = ereg_replace (";", "", $password);
$password = ereg_replace ("select", "", $password);
$password = ereg_replace ("insert", "", $password);

print($password);

then I have an if statement, if the username is foo and
the password is bar, then redirect the page to the page
that actually handles the contents of the original form.

Is this enough? I assume there is no such animal as too
much security.

TIA
Nan


-----Original Message-----
[mailto:thelist-bounces at lists.evolt.org]On Behalf Of rudy

Subject: Re: [thelist] making text boxes more secure


> Is there anything else that should be done?

see http://www.webcohort.com/Blindfolded_SQL_Injection.pdf
(note: PDF)
for other articles, search for "sql injection" in your
favourite search
engine






More information about the thelist mailing list