Reputation: 623
Is Checking for String Quotes a Reliable Form of SQL Injection Preventing?
I would like to know if this is reliable. In my PHP file I do the following code:
if(strpos($text,"'") === false) {
//perform query
} else { /*illegal character*/ }
I know I probably sound like an idiot, but what are the flaws in this? Can someone use different character encoding perhaps to get around it and inject a single quote?
Upvotes: 0
Views: 186
Answers (2)
Reputation: 44833
No, it's not. Injections can use ', ", ; and any number of other characters. For example, if you use the wrong text encoding, some Unicode characters can be used to terminate a string. As @TheShiftExchange points out, your code would let through a DROP TABLES command, and it could result in all sorts of other injections.
Upvotes: 0
Reputation: 60048
If you want to prevent SQL Injection - then follow the guidelines here: How can I prevent SQL injection in PHP?
Trying to implement your own custom measures is only going to end in tears.
And for the record - your code will not prevent SQL injections. For example
105; DROP TABLE Suppliers
would get through
Upvotes: 2
Related Questions
- Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?
- Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?
- SQL injection against quote()?
- How can sanitation that escapes single quotes be defeated by SQL injection in SQL Server?
- Can this simple String escaping prevent any SQL Injections?
- Is this theoretically valid method to protect against SQL injections?
- SQL Injection prevention by replacing single-quote
- Is it enough to forbid single quotes in input to avoid SQL injection?
- SQL Injection: is this secure?
- replaceAll quotes with backslashed quotes -- Is that enough?