9:30 AM - Got this from www.thedailywtf.com
My new co-workers recommended this site, http://www.thedailywtf.com. It's rather funny (well if you're in the computer industry, IT or anything related).
The following function was an overseas Indian software shop's solution for SQL injection. See any problems?
function checkForBadSql($sqlcode)
{
global $CONTEXT, $ERROR_TEXT;
$badSqlCode[] = 'create';
$badSqlCode[] = 'database';
$badSqlCode[] = 'table';
$badSqlCode[] = 'insert';
$badSqlCode[] = 'update';
$badSqlCode[] = 'rename';
$badSqlCode[] = 'replace';
$badSqlCode[] = 'select';
$badSqlCode[] = 'handler';
$badSqlCode[] = 'delete';
$badSqlCode[] = 'truncate';
$badSqlCode[] = 'drop';
$badSqlCode[] = 'where';
$badSqlCode[] = 'or';
$badSqlCode[] = 'and';
$badSqlCode[] = 'values';
$badSqlCode[] = 'set';
//test if sql code is bad
if (preg_match('/s['.implode('|',$badSqlCode).']+s/i', $sqlcode))
{
//bad sql found -- hack attept! Abort
$ERROR_TEXT = "Invalid text was entered. Please correct.";
return 0;
}
return 1;
}