Reputation: 29
SQL Injection without prepared statements or parameterised queries
I know there are many questions out there already regarding this subject, however none I have found specifically answer my question.
I have created a simple PHP function that validates all user supplied input. Given the nature of the application I am developing, it is rare that the use of any characters other than numbers and letters are required. Occasionally commas (,), hyphens (-), ampersands (&) and single-quotes ('). My PHP function ensures that all input only contains these characters, and then adds a single backslash in front of each instance of one of these symbols.
I am assuming that if I guarantee that all input is sent through this function before being used in a MySQLi query, I am safe from SQL injection and have no need to use prepared statements, parameterised queries etc, regarding security only.
Am I correct?
Upvotes: 0
Views: 105
Answers (2)
Reputation: 38238
It seems from our discussion in the comments that the underlying reason you want to avoid parameterised queries is because you couldn't get mysqli_stmt_get_result() working under MAMP as it requires the mysqlnd native driver.
In fact, that has no bearing on your ability to use parameterised queries or prepared statements. It's an enhancement to the normal method of fetching bound results from prepared statements instead of the older (but still standard and perfectly-supported) mysqli_stmt_bind_result(), which will work fine without mysqlnd.
Please use parameterised queries. If you also want to use prepared statements with bound result variables without the mysqlnd driver, use mysqli_stmt_bind_result() instead of mysqli_stmt_get_result().
If you have any problems using parameterised queries, please post a new question with a complete, minimal example of the code you're having problems with.
Upvotes: 0
Reputation: 16253
tl;dr NO
There are many attack vectors and many different kinds of SQL Injection out there. For instance, use the wrong method from the MySQLi class and you're open to many attacks.
Just don't even bother thinking about building your own stuff, you'll fail, you'll fail hard. Follow best practices and concentrate on other parts while becoming the most awesome programmer this world has ever seen.
On a last note, prepared statements are offering you many benefits. Although the caching of queries as mentioned by @Zanon is sadly not one of them if you use MySQL (it would be with e.g. PostgreSQL). But that is up to the documentations of the software (and their exact versions) you use.
Upvotes: 3
Related Questions
- Can PDO and MySQLi prepared statement prevent SQL injection even when not escaping user input?
- Preventing SQL Injection in PHP without parameterized queries?
- PHP MySQLi prepared statement for SELECT (avoid SQL Injection)
- Are MySQLi Prepared Statements sufficient to prevent SQL injection?
- How Mysqli_escape_string or Prepared statement can save me from SQL Injection
- SQL Injection with Prepared Statements
- Is this mysqli code using prepared statements safe against SQL injection?
- Mysqli prepared statement (SQL injection prevention)
- How php/mysqli ( prepared statements + bind params ) protect against SQL Injection?
- PHP: Injection protection using prepared statements