Jump to content

SQLi Avoidance through global blacklist "fallback"

oz11

By oz11
in PHP Coding Help

 Share
Go to solution Solved by oz11,

Recommended Posts

oz11 Advanced Member

oz11

Posted
Posted (edited)

Is this a good idea.. in a layered security sorta way... 

if ($_SERVER["REQUEST_METHOD"] == "GET" || $_SERVER["REQUEST_METHOD"] == "POST") {
    // List of SQL injection terms to blacklist
    $sqlInjectionTerms = array('DROP', 'DELETE', 'UPDATE', 'INSERT', 'SELECT', 'AND', 'TRUNCATE', 'UNION', 'SELECT * FROM');

    // Function to check for SQL injection terms in request parameters
    function checkForSqlInjection($requestData, $sqlInjectionTerms) {
        // Check if $requestData is an array
        if (!is_array($requestData)) {
            return; // Exit function if $requestData is not an array
        }

        foreach ($requestData as $param => $value) {
            // Check if $value is a string
            if (!is_string($value)) {
                continue; // Skip iteration if $value is not a string
            }

            foreach ($sqlInjectionTerms as $term) {
                if (stripos($value, $term) !== false) {
                    // Detected potential SQL injection; terminate script execution
                  //  die("Potential SQL injection detected in parameter: " . htmlspecialchars($param));
                  echo $string = "FLAG:".bin2hex(random_bytes(10));
                  echo "<br>";
                  die (" error: 000ajfw5");
                }
            }
        }
    }

    // Check for SQL injection in GET parameters
    if ($_SERVER["REQUEST_METHOD"] == "GET") {
        checkForSqlInjection($_GET, $sqlInjectionTerms);
    }

    // Check for SQL injection in POST parameters
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        checkForSqlInjection($_POST, $sqlInjectionTerms);
    }
}

yes, I already use PDOs.

Edited by oz11
Link to comment
Share on other sites
  • oz11 changed the title to SQLi Avoidance through global blacklist "fallback"

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.