Wednesday, September 26, 2018

php - Is using is_string() a good defense against SQL Injection?

I was trying to look for mitigation of SQL Injection against my web application based on PHP and MySQL. The first rule is to sanitize the query; Hence I am using mysql_real_escape_string() function for that




Here is what my snippet looks like



if (is_string($string)) {
return $mysqli->real_escape_string($string);
} else {
return "";
}



Here, $string would contain the user-input. After this filtering and escaping, I would use INSERT INTO query to insert into database.



This filter, will thwart any malicious user inputs like haha' , inj'' etc as is_string() will detect those string and apply real_escape_string() to escape those evil characters. The only possibility I can think an attacker can do is use a Numeric payload for SQL Injection but I don't know any Numeric payload itself has caused Injection yet so far.



So, will this filter keep away the bad guys or is it bypassable ?



EDIT:
I know Prepared statements are much better and a good coding practice while launching app in production. But for this question, I am specifically looking answer to how anyone can thwart this filter itself because it does seem strong to me!

No comments:

Post a Comment

plot explanation - Why did Peaches' mom hang on the tree? - Movies & TV

In the middle of the movie Ice Age: Continental Drift Peaches' mom asked Peaches to go to sleep. Then, she hung on the tree. This parti...