Wednesday 20 December 2017

php - Is using is_string() a good defense against SQL Injection?

I was trying to look for mitigation of SQL Injection
against my web application based on PHP and MySQL. The first rule is to sanitize the
query; Hence I am using mysql_real_escape_string() function for
that



Here is what my snippet looks
like



if (is_string($string))
{
return $mysqli->real_escape_string($string);
} else
{
return
"";

}


Here,
$string would contain the user-input. After this filtering and
escaping, I would use INSERT INTO query to insert into
database.



This filter, will thwart any malicious
user inputs like haha' , inj'' etc as
is_string() will detect those string and apply
real_escape_string() to escape those evil characters. The only
possibility I can think an attacker can do is use a Numeric payload for SQL Injection
but I don't know any Numeric payload itself has caused Injection yet so
far.



So, will this filter keep away the bad guys
or is it bypassable
?



EDIT:

I
know Prepared statements are much better and a good coding practice while launching app
in production. But for this question, I am specifically looking answer to how anyone can
thwart this filter itself because it does seem strong to me!

No comments:

Post a Comment

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print &q...