Thursday, 31 January 2019

php - Is using is_string() a good defense against SQL Injection?

I was trying to look for mitigation of SQL Injection against my web application based on PHP and MySQL. The first rule is to sanitize the query; Hence I am using mysql_real_escape_string() function for that



Here is what my snippet looks like



if (is_string($string)) {

return $mysqli->real_escape_string($string);
} else {
return "";
}


Here, $string would contain the user-input. After this filtering and escaping, I would use INSERT INTO query to insert into database.



This filter, will thwart any malicious user inputs like haha' , inj'' etc as is_string() will detect those string and apply real_escape_string() to escape those evil characters. The only possibility I can think an attacker can do is use a Numeric payload for SQL Injection but I don't know any Numeric payload itself has caused Injection yet so far.




So, will this filter keep away the bad guys or is it bypassable ?



EDIT:
I know Prepared statements are much better and a good coding practice while launching app in production. But for this question, I am specifically looking answer to how anyone can thwart this filter itself because it does seem strong to me!

No comments:

Post a Comment

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print ...