Home/ Questions/Q 4321868
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T08:48:03+00:00

How would I go about storing potential SQL injection attacks in a database? Assume

  • 0

How would I go about storing potential SQL injection attacks in a database?

Assume first that I have detected a potential attack, and have the offending attack string in a variable and would like to add it to a table containing a log of suspicious events.

What would I need to do to safely insert these strings into a database so that no errors would be produced?

I have a feeling that it will be something along the lines of htmlspecialchars and mysql_real_escape_string… but I wanted to throw it out there to see if anybody else had any ideas!

One thought was to store the attack as an encoded base64 value, but that seems a bit hackish…

FYI, I am writing the application in PHP 🙂

Any responses would be greatly appreciated!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Always use parameterized queries. If you are using parameters, you don’t need to rely on escaping strings and your query will always do exactly what you intend.

    e.g.:

    $statement = $db->prepare('INSERT INTO table_name (field_name1, field_name2) VALUES (:value, :value2)');
$statement->execute(array(':value' => $value, ':value2' => $value2));

    See documentation for PDO prepare here:

    http://www.php.net/manual/en/pdo.prepare.php

    • 0