Friday, December 30, 2011

A New Way to Prevent SQL Injection

So, I had this idea as a way of preventing SQL injection on my websites for people who have to fill out text boxes similar to what I am doing now, and was wondering if I could get some possible feedback on the subject. I would take ANY and ALL data from the user, no matter what they want to type, and have a phphash file that would hash the entire text box into a massive string of numbers. Those numbers would then be stored either in the database, or in a specific file type, and when the data is retrieved, the numbers would then be converted back into text.

On the positive side, this would allow me to store string literals, and I mean LITERAL, which would be displayed where ever I want it to be displayed, and would run at a BigO of n.

On the down side, this may take up a lot of server-side processing speed dependent on how much information is being relayed back to the user, how many users are currently using the database, and how large of strings we're talking.

Essentially, this can be a fool-proof way (if implemented on every field) for storing string literals without the chance of an SQL injection attack. Meaning, someone could successfully write this post and append;DROP TABLE Users;-- without repercussion.

15 comments:

  1. have no idea what I just read.. and as for your question, no, never. :)

    ReplyDelete
  2. how will you go about doing this? good post btw, +follow

    ReplyDelete
  3. @House of Cahn: w3schools has information on how to turn a string into an array using PHP, with 1 character in every spot in the array. With this, I would have a switch that would do the following code: if (char == 'a') {textfile.append("00001")}

    This means for every a, the corresponding number to that is 00001. This is how the data is stored, and would all be coded in server side PHP files. For decoding: Visa-verse.

    ReplyDelete
  4. I think I get at least half of what your talking about, that kind of scares me..haha

    ReplyDelete
  5. @Pat SQL Injection is a serious threat, and when creating any website, and you'll want to do as many things you can to prevent infiltration of your database.

    People will use the above techniques to change the databases of websites... Changing the prices of items, purchasing them at a cheaper rate, then changing them back.

    ReplyDelete
  6. I love computers! i am now following you!

    ReplyDelete
  7. After reading the comments I understand what an SQL injection is about but think I would need some defined terms in the future.

    Your articles use very specialized terms and I think a definition or two would work wonders for the readers

    ReplyDelete
  8. @Smile Thank you for the feedback. I'll try to adjust my posts to try to elaborate a little more.

    ReplyDelete
  9. Agreeing with Smile here, I guess I got the basics of that post, but really understanding it was tough :P

    ReplyDelete
  10. lots of novice users do this mistake of leaving forms totally open and unprotected! it's nice to see articles like this, keep the good work ;)

    ReplyDelete
  11. some stuff i didnt understand but overall nice post

    ReplyDelete
  12. I don't have too much background on this stuff but it sounds interesting.

    ReplyDelete
  13. Can you say whole speech in Spanish? lol jk.

    ReplyDelete
  14. I like to advance my knowledge little by little on your site.

    ReplyDelete