On 1/5/2017 2:23 PM, Always Learning wrote: > SQL injection attempts, made by suffixing usually very long strings of > SQL coding to valid parameters such as domain.com/info.php?aaaa=12345, > has been popular with the Russians for at least the last few years. SQL Injection is a server side issue, not a browser issue. > The only method of preventing it compromising a site is to test the > acceptable maximum length of the parameter (in this example '12345') and > if exceeded block the IP address in iptables. no, the proper method of preventing it is not checking the length of the parameter, rather, its ensuring you don't construct SQL queries out of arbitrary URL input without proper parameter substitution techniques such as passing parameters by value rather than string substitution, or using the appropriate string escaping techniques for your database API.. -- john r pierce, recycling bits in santa cruz