MySQL Injection question

[norNerd]

Hi, if i use strlen(); to check the length of a string, lets say username, and i make it so users cant have more then 8 characters, will that set a little limit for the injection or will the attackers be able to bypass this in some way?And to avoid scripting, can just make it so <script></script> isn't allowed right? norNerd

[boen_robot]

It's really wrong to think of security in terms of blacklisting... attackers will always find a way to bypass a blacklist.Instead, you should think of a whitelist. Also, instead of trying to forbid a character or a character combo, allow it in a way that will make it harmless.In the case of SQL injections, this means using mysql_real_escape_string() to escape any data being inputted. In the case of XSS attacks (one involving inserting a script element, as per your second example), the best way to stay secure is to either disallow (X)HTML completely, escaping everything with htmlentities() or htmlspecialchars() instead. Alternatively, (what I'd instead use) create an XML Schema or DTD with only the elements and attributes that you allow (again - a whitelist), and validate any input against that. Option 3 (and what forums and Wikis use) is to create your own pseudo language, ala BBCode or Wiki code, and turn that into predefined pieces of HTML.

[jeffman]

Keep in mind that inline script can always be embedded in HTML tags, and that there is no practical limit to its length. And it won't be caught if all you're screening out is a <script> tag.