How can I detect (not just prevent) SQL injection/XSS/hack attempts

[eluser]Unknown[/eluser]
I imagine this is probably a very esoteric thing to ask, but I am working on a game, and obviously security & behavior moderation is high on the priority list. I understand that CodeIgniter already has a lot of stuff in place for preventing SQL injection and XSS. I want to be able to also detect and warn the player on an SQL injection or XSS attempt, and keep a record of it so I can know who is trying to break the game. Is this feasible? What are the odds that such events are innocent/unintentional activations? (I suppose that depends on how the game is played, though)

[eluser]skunkbad[/eluser]
You are just going to want to filter or otherwise examine anything that comes in that can be manipulated by the user. Any form data, query string variables, etc. If the user is or can supply the data, it can't be trusted to be clean. I'm not sure how to handle the logging of a hacking attempt in all situations, but as you develop your application and apply your own custom filtering, I'm sure you'll come up with something.

[eluser]Unknown[/eluser]
Yeah, I assumed I would just have to do some checking myself by preg_matching for the usual stuff, backticks and quotes and comment markers. Figured I'd ask to see if there was anything obvious that I was missing; the series of Google searches I was on was starting to look like a wild goose chase.

If my understanding of it so far is correct, I can at least compare

Code:

$this->input->post('variable', TRUE/FALSE)

as a way to check to see if the XSS filter ran into something on that particular item. I guess the nearest cousin on the database side is to compare $posted_str with

Code:

$this->db->escape_str($posted_str)

but I'm not sure that that would be kosher outside of the model context. Plus, it'd only be helpful if it is an input that would normally not contain something that gets escaped, like inputs that should always be only positive integers or alphanumeric strings.

I just want, if at all possible, to avoid hopping outside of the database methods and performing checks that will not work the same if the site is moved to a different database engine (e.g. from MySQL to postgre).

Logging would be a simple matter by comparison...log to a table with the relevant details when the controller gets a positive match, increment a field in the user model (if they're logged in), and add a warning to the view that gets loaded. I would probably have to tweak the sensitivity as I go, since I'll be adding a few things like user profiles to the game.