Is this theoretically valid method to protect against SQL injections?

Question

I know there are methods (escaping/ prepared statements) to protect against injections. However, for "fun", do you think the following method works?

Assume you are given a string. You get the string and add "space" between every character.

This way, even if there is a security breach somehow, commands will not make sense because adding the "space" invalidates them.

I understand there are performance issues and stuff... But in theory, will it work?

Answer 1

No.

SQL injection is defined as the modification of the intended SQL command. If even a single character is able to modify it (e. g., a single quote prematurely ends the string literal, resulting in a syntax error), it is considered an SQL injection.

Answer 2

This will break up any operator or keywords of more than one character. An attacker would need to cause damage using single characters separated by spaces. Let's see what we can do with that.

Assume a one-character column named c:

SELECT 1
FROM (VALUES (1234)) x(c)
WHERE c = '" + injectedSql + "'

Inject

' + c + '

which gives:

SELECT 1
FROM (VALUES (1234)) x(c)
WHERE c = '' + c + ''

Pwned.

Answer 3

Even though this is sort of an "opinion" based question I'm still going to answer. "No." :) This will not safeguard against all possible cases. Most likely it will simply make some forms of injection more difficult, but certainly not all. Here's why.

Introducing spaces will not properly solve the problem, in addition to rendering the data into a format that is unlikely to reflect what you really want to store. For example, some applications will introduce user input as integer values in database lookups.

Given:

 SELECT * FROM table WHERE id=$user_input_value

User input: 1OR1=1

Rendered statement:

 SELECT * FROM table WHERE id= 1 OR 1 = 1

This remains completely valid SQL and will return all rows in the table. Whitespace around the equals sign will be discarded.