Description:
------------
Hello 

this is auday , i am learning php and reading about security and thought about the sql injections 

we use select from tablename where something = something1 AND somethingelse = something2

i thought about preventing the sql attackes by these methods

1- use of ANDAND OROR , which mean php will ignore any other or or and after this 

example select from userstable where username = $_POST['username'] ANDAND Password = $_post['passwor'] 

so 
if password entered with this 

OR 1=1 , which is very famous , php will ignore it 

2- PHP ignores any logical statments such as OR/AND in any value before ANDAND or OROR , 

if in the example above someone entered the username with ANDAND or OROR to make php ignore the other conditions , php should deal with the value as a text not a logical part 

in other word , values used for the sql queries are not processed as a code by disallowing ANDAND or OROR to be in variables 

just like some conditions we have for variables, one more to add is no OROR ANDAND and any other related things

3- XSS , i know a little bit about php and this one , but i thought about this method for preventing it 

when someone try to pass html code or javascript or even php , php engine should do these things 

A) checking the restriction in php.ini, new lines for example like 

therulesforGET = nocode

this is what will turn spaces to   , and these < (smaller than) , &rt; (greater than)

without the need for regular expressions and other methods ... server admins can set for example an inifile with 

HTMLinPOST['username'] = no
HTMLinPOST['message'] = yes(p,font,etc) // allowed tagsfor this one
HTMLattributesinPOST['message'] = no // or set it to yes but allow style , class , color , background and other not harmful things  

WHAT i am trying to say is to make php for programmers easier ... they set the limits their application should have , then php does the regular expressions part and other stuff 

B) setting the formats the same way about 

lets say php will take $n as number and $c as character and dot as space

in php.ini 

formatforPOST['postalcode'] = $c1$n1$c2.$n2$c3$n3 // canada postal code lik t5t 1e1 will be the only accepted for this

same for others , $text-ini ( any text ) , $numric-ini ( any number ) i used ini to make it different a bit 

formatforGET['userid'] = $numric-ini // or just numric 


so again .. i think php should have these stored in a file that the engine read and does all the other work 

i heared regular expressions is not php, other language called perl , so we need something like the above as php regular expressions 

simply defined , text , nohtml , numric and other things 

so i dont have to check is it numric everytime or call function / classes , i set one line and put that this data coming from post is numric only ... 

ERROR MESSAGES 
IF not looking the same as what is specified in the ini file , if it is different , how the programmer should act , php will return error message stored on the server called POST['userid']error 

if it exist i display it ... or deal with it 

php-builtin-function-to-check-errors(POST['userid']error) // check if this got an error ... return true or false 


we assume this is new function php introduce 

if the POST['userid'] is set in the INI file to be numric only bu it is entered not numric 

php return this error 

POST['userid']error = 'not WHATINTHEINI' / this can be !numric


so the programer didnt write and chcecked the varaible , but set it in ini file , and now got the error code from the function above 

if(POST['userid']error) {


dispaly the error by echo ,

echo $_POST['userid']error;

}

i hope this is the write place where i can submit ideas and i hope you read my message and try to see if there is soemthing useful , 

i hope i didnt waste your time

thanks