I was trying to look for mitigation of SQL Injection
against my web application based on PHP and MySQL. The first rule is to sanitize the
query; Hence I am using mysql_real_escape_string()
function for
that
Here is what my snippet looks
like
if (is_string($string))
{
return $mysqli->real_escape_string($string);
} else
{
return
"";
}
Here,
$string
would contain the user-input. After this filtering and
escaping, I would use INSERT INTO
query to insert into
database.
This filter, will thwart any malicious
user inputs like haha'
, inj''
etc as
is_string()
will detect those string and apply
real_escape_string()
to escape those evil characters. The only
possibility I can think an attacker can do is use a Numeric payload for SQL Injection
but I don't know any Numeric payload itself has caused Injection yet so
far.
So, will this filter keep away the bad guys
or is it bypassable
?
EDIT:
I
know Prepared statements are much better and a good coding practice while launching app
in production. But for this question, I am specifically looking answer to how anyone can
thwart this filter itself because it does seem strong to me!
No comments:
Post a Comment