Hi all.

So I need to code to impress in a project I have coming up. My code's going to be scrutinized and I want this party to like what I'm putting down, so I want to go beyond my standard method of scrubbing inputs in the working part of my code and actually do some of the sexier methods to prevent SQL injection. I don't even know where to start, so can anyone point me in the right direction?

Thanks,
-V

Hmmm... more sophisticated and sexy than scrubbing...

the only thing I can think of is pure input isolation ie., what comes from the user is *never* passed on to hte DB - you take the user's intentions and recreate things from scratch or something... but I don't know what else beyond that except for a telemetry page that looks like "# of queries, # of potential attacks, last 10 queries" and such... have it automatically update so it looks all sexynshyt...

Appreciate the input Perk.

Yes, upon further research I've come to the conclusion that the only impressive route I might be able to take is create my own little scrubbing class whose methods clean my various forms of input, whatever they may be.

thats what I was going to suggest. I have a function that I pass 2 parameters to, Type and Value.
i have all kinds of cleaners in there. +integer to force a positive integer such as ID columns. date, float/double, and about a dozen more.

But i don't validate per se, I force correct. So, if someone passes 'abc' to +integer, it gets set to 0.

this is aside from my validation function, which of course runs first, pointing out big a fishhead you are for trying to out-leet me.

No sure if it will help since I don't code in

PHP

  but in my native tongue (

ASP

 /

ASP

 

.NET

  I developed a complete DB handling class which deals with all comms to/from any DB and constructs all SQL statements pre-cleaned etc.

It has various functions to allow the developer to construct SQL statements that are DB-specific and also use pre-scrubbed values etc.

Since it's all done server-side, the client form can accept anything you like and the resulting server-side SQL is constructed to save exactly what is entered without any possible SQL injections creeping in.

Is this the sort of thing you were meaning or is this a little too heavy-weight for what you had in mind?

That's pretty much exactly it. Thanks for the idea.

Actually yep.
Just came to me.
Probably the number 1 reason to use something like sqlobject for

python

  or similar shit for

PHP

 , ROR etc
Not counting all the other advantages.

Almost make sql injection impossible.

you mind sharing that class? 

Normally I would be more than happy to share my code but apart from the fact this is in

ASP

 

.NET

  (and the older version in

ASP

 , I use it in my commercial sites and as such I can't release my commercial code for obvious reasons, plus some of the contracts with customers don't allow me to release the code.

Sowwy...