André Soares
Reputation: 37
Would this be a good anti sql injection function?
Currently I use this function as a countermeasure for my website just wondering if it can effectively block SQL injections. Since I tested my website with Accunetix WPS, ZAP and NetSparker of which only ZAP said my website was vulnerable to injections of the type = 'ZAP' or '1=1'.
Should I worry?
function anti_injection($sql){
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
$sql = addslashes($sql);
if($mysqlsupport == 1)
{
$sql = mysql_real_escape_string($sql);
}
return $sql;
}
Upvotes: 0
Views: 640
Answers (1)
Chris
Reputation: 58142
Short Answer: No, this would not be a good anti sql injection function.
There are many many tools that work, and work well, so we as developers don't need to try to cover every edge when it comes to protecting our databases.
Please look into, at the very least, PDO. http://php.net/manual/en/book.pdo.php
Upvotes: 3
Related Questions
- Is this code anti mysql injection?
- Is this code protected against SQL injection?
- Is my PHP Code Secure
- PHP SQL Injection - Is This Code Sufficiently "Safe" from That?
- Is this a safe way to prevent sql injections?
- Does this PHP function protect against SQL injection?
- Is this a safe way to filter data and prevent SQL-injection and other attacks?
- Is this safe enough for SQL injection
- Will this SQL injection prevention work in theory?
- Is this a safe way to secure against sql injection?