Reputation: 2477
Will this SQL injection prevention work in theory?
I plan to prevent SQL injections by using the the $variable and route it to a function that will scan the $variable for any sql commands or any attempts of injections. I will also make a list of common sql commands that people would use inject so it would be detected.
Note: I previously asked a similar question but this time I have a theory I managed to think ;)
Upvotes: 1
Views: 81
Answers (2)
Reputation: 943220
No. Blacklisting will inevitably give false positives and almost certainly give false negatives.
Use bound parameters and let the database deal with it for you.
Upvotes: 3
Reputation: 421
The simplest and secure way to prevent SQL injection is to use mysql_real_escape_string() on any untrusted data (eg: $_GET or $_POST). It will escape any special characters so the query will be safe.
If you use mysqli, see http://www.php.net/manual/en/mysqli.real-escape-string.php
More about SQL injection and how can you protect yourself against it: http://www.php.net/manual/en/security.database.sql-injection.php
So, your plan it's not the best way to do it. It unnecessarly complicates things.
Upvotes: 3
Related Questions
- Would this be a good anti sql injection function?
- Is my PHP Code Secure
- PHP SQL Injection - Is This Code Sufficiently "Safe" from That?
- Is this a safe way to prevent sql injections?
- Does this PHP function protect against SQL injection?
- How will this affect chances of preventing SQL injection?
- Is this safe enough for SQL injection
- Is this a safe way to secure against sql injection?
- Is this line of PHP good enough to prevent MySQL injection?
- PHP protecting itself from SQL injections?