Reputation: 11010
Is regex enough to stop injection attacks?
I have a script that processes user input and before it continues with database interaction it verifies input with regex. My only question is, Is regex enough to weed out injection attacks or do I still need to apply mysql_real_escape_string()?
Upvotes: 3
Views: 439
Answers (4)
Reputation: 7759
If your regex is good enough then yes, however, why take the risk?
Upvotes: 1
Reputation: 245429
Unless you have an amazing RegEx expression, I personally wouldn't trust it to be complete.
Always error on the side of too much protection rather than too little. Include the call to mysql_real_escape_string.
Upvotes: 0
Reputation: 287885
It is if the regex is ^$. For all other inputs, it depends on whether the regexp lets escape characters through. Since those depend on the database and connection settings, you should really use prepared statements or, if that's not an option, mysql_real_escape_string every time.
Upvotes: 1
Reputation: 55334
It really depends on how "good" the expression is; as in, "did you cover all your bases?" It doesn't hurt to put it through mysql_real_escape_string to be safe. There is no performance impact if you use this a few times in your script.
Upvotes: 2
Related Questions
- regex expressions prevent sql/script injection
- Regular expression to prevent SQL injection
- validating user input using regex to prevent an sql injection
- Is this use of str_replace sufficient to prevent SQL injection attacks?
- SQL injection risk - allow REGEXP input
- Is this string replacement enough against SQL injection attacks?
- Sql injection prevention techniques still vulnerable?
- RegEx to avoid user input injection
- Is Regex for Form Validation if I use the following?
- PHP protecting itself from SQL injections?