How do I safely store suspected SQL injection attacks in a database?_问答_开发者

How do I safely store suspected SQL injection attacks in a database?

开发者 https://www.devze.com 2023-02-23 04:04 出处：网络

How would I go about storing potential SQL injection attacks in a database? Assume first that I have detected a potential attack, and have the offending attack string in a variable and would like to

How would I go about storing potential SQL injection attacks in a database?

Assume first that I have detected a potential attack, and have the offending attack string in a variable and would like to add it to a table containing a log of suspicious events.

What would I need to do to safely insert these strings into a database so that no errors would be produced?

I have a feeling that it will be something along the lines of htmlspecialchars and mysql_real_escape_string... but I wanted to throw it out there to see if anybody else had any ideas!

One thought was to sto开发者_运维知识库re the attack as an encoded base64 value, but that seems a bit hackish...

FYI, I am writing the application in PHP :)

Any responses would be greatly appreciated!

Always use parameterized queries. If you are using parameters, you don't need to rely on escaping strings and your query will always do exactly what you intend.

e.g.:

$statement = $db->prepare('INSERT INTO table_name (field_name1, field_name2) VALUES (:value, :value2)');
$statement->execute(array(':value' => $value, ':value2' => $value2));

See documentation for PDO prepare here:

http://www.php.net/manual/en/pdo.prepare.php

Use mysqli prepared statements to store the queries, it's the safest method to avoid sql injection. If you're going to display them via a web interface and concerned about XSS/CSRF attacks, use htmlspecialchars() before displaying them.

The same way you are storing any other data.
There is nothing special in storing SQL injection attacks, whatever you call it.

Like Steve Mayne said ... please use php PDO connection with prepared statements. It's the safes right now . Don't user mysql_connect() and subfunctions anymore because it's old and you cannot fully benefit of new mysql / sql / etc .. funcitons .

All I would do is run it though a simple encryption. Then when you want to show the suspected sql, you would just decrypt it. This should insure the suspected sql statement does not get executed on your db.