security in theory from sql injection

Mangar

New member
Hey guys, Sorry I am a bit of a nut that thinks out of the box and kind of see a way for asp but new to php code, give me enough time and I am sure this could be done. For any of you guru devs maybe you might like to ponder this idea.

I was just thinking how asp and new to php. I am sure you know how they try to break a site with sql injection code. Being not familiar with php yet, I was thinking a step to thwart the extra code.

In a url we all have mysite/page?x=3454&tag=whatever

Is it possible to code the variable into a string like so as a text and a variable then segment snip each variable like so

$catch = url above as a text string "x=3454&tag=whatever"

Then you as the developers know you are looking for a "x" and "tag" string that would have values.

Formula = ($catch string - x$ - tag$) then test if it equal zero.


Example of a friendly visitor/user
mysite/page?x=3454&tag=whatever

(((x=3454&tag=whatever) - x=3454 ) - tag=whatever)
at the end of the php test there should be no text left = 0 or false which would be there was no injected attack



Example of bad or manipulated code
mysite/page?x=3454&tag=whatever&hold1=1

(((x=3454&tag=whatever) - x=3454 ) - tag=whatever) (remaining text would be hold1=1
at the end of the php test there is text left = 1 or true which would halt or flag the attack and ip and block them and maybe email owner of an attack.

Example of bad or manipulated code
mysite/page?x=3454&hold1=1&tag=whatever
Even out of order inject would fail the validate test what variables are expected on the landing page.

So any commands or extra code of a variable would show there is more code in the url then the expected know variables.

---

So if one knows they are only looking for 2 or 3 known variables and compare it as a text string any code or text outside the boundaries of the known URL strings would fail the URL string test. You could even test that a form has only the strings you ar looking for, any extra lines length or string would flag and never throw a code to thwart attack proactively by the code itself before continuing to execute and more of the page.
 
Last edited:
Back
Top