I was trying to look for mitigation of SQL Injection against my web application based on PHP and MySQL. The first rule is to sanitize the query; Hence I am using mysql_real_escape_string() function for that
Here is what my snippet looks like
if (is_string($string)) {
return $mysqli->real_escape_string($string);
} else {
return "";
}
Here, $string would contain the user-input. After this filtering and escaping, I would use INSERT INTO query to insert into database.
This filter, will thwart any malicious user inputs like haha' , inj'' etc as is_string() will detect those string and apply real_escape_string() to escape those evil characters. The only possibility I can think an attacker can do is use a Numeric payload for SQL Injection but I don't know any Numeric payload itself has caused Injection yet so far.
So, will this filter keep away the bad guys or is it bypassable ?
EDIT:
I know Prepared statements are much better and a good coding practice while launching app in production. But for this question, I am specifically looking answer to how anyone can thwart this filter itself because it does seem strong to me!
No comments:
Post a Comment