I have an idea for preventing sql injection attacks, however it would have to be implemented by the database vendor. Let me know if I am on the right track, this totally off base, or already implemented somewhere...
Lets say you could have a format string such as in printf $format=" SELECT %s FROM %s WHERE id='%s' "; $fieldname="last_name"; $tablename="personel"; $id="425"; and you could execute a query like mysql_query_formatted($format, $fieldname, $tablename, $id); (the language would have to have variable argument lengths) now, the key is that instead of just adding the $fieldname, $tablename, $id to the $format string and passing it to mysql_query, it would be passed to the parser as separate strings. The parser should know how to handle that format. That way, the parser would always know where the different tables names, field names, and other strings start and end. So, the problem of injection attacks caused by some one confusing the parser by entering things like ' and " is gone. It would be easier on the programmer. There would be no need to worry about escape characters when passing to this function, the strings would not have to be escaped.. The parser would no longer have to guess where the boundaries are. No more worrying about injection attacks. does that make sense? -- http://www.douglassdavis.com
