Jump to content
Larry Ullman's Book Forums

Test For Invalid Data - Mysql Injection Attacks


Recommended Posts

Hi,

 

Today someone tried to inject some invalid data into a contacts database table.  The data fields are just VARCHARs. Fortunately I had enough checks in there to prevent the insertion.

 

But I hastily put together the following PHP data checks to try and strengthen the defences.  Are they sufficient?  Is there a better way?  Note: there are no particularly sensitive data in this database but I'd like to prevent any 'bad' data being put into the database table.

function test_for_invalid_data($data)

 {

  // the following are 'needle in haystack' tests - stristr does a case-insensitive check

  if ((stristr($data, 'href') === FALSE) 

    && (stristr($data, 'http') === FALSE)

    && (stristr($data, '<a') === FALSE)

    && (stristr($data, 'link') === FALSE)

    && (stristr($data, 'url') === FALSE)

    && (stristr($data, '</a') === FALSE))

   { // 'needle' strings not found - good!

    return TRUE;

   }

  else

   return FALSE;

 }

Any advice will be most appreciated.

 

Necuima.

Link to comment
Share on other sites

 Share

×
×
  • Create New...