Link to home
Start Free TrialLog in
Avatar of Alfahane
Alfahane

asked on

Is it possible to prevent SQL-injections solely by filtering out specific characters

Is rigourous filtering of characters a possible way to prevent SQL-injections? I understand that filtering means that you lose functionality as special characters can be a valid part of a valid string.

I also understand that parametrisized is the (generally accepted) best way to go.

Avatar of Garry Glendown
Garry Glendown
Flag of Germany image
Special characters should always be allowed, but you need to ensure that they are encoded/decoded before you use them for building a query.

e.g, imagine somebody entering the following input into a string field:

john doe"; drop database customer;

Open in new window


without escaping, this might seriously harm your database ;)

You need to make sure to sanitize any input to a web form (or GET variable value) before handing it to your database. In PHP, you could use functions like "mysql_real_escape_string" to "fix" the input so that any legitimate information can be searched for; in this example, it would ensure that plain concatenation of the string to the query would be safe for execution ..
Avatar of dportas
dportas
You could filter out special characters but you generally shouldn't. Passing your inputs as parameters is the best way to avoid SQL injection.
Avatar of Alfahane
Alfahane

ASKER

Yes, passing as parameters is the best. However, still need to investigate character filtering for an old system that will be shut down but need higher security without changing all queries to parametrized.
Avatar of Garry Glendown
Garry Glendown
Flag of Germany image
Is it available in source? How many pages are there that get input from forms? I doubt there's some "silver bullet" that will be able to fix the problem for you ... at least not for little or no money and without work ...
Theoretically, an IDS or application firewall could be set up to look for and block certain sequences, but will require some in-depth understanding of what is permitted and safe, and how to set up the system ...
Avatar of Alfahane
Alfahane

ASKER

Ok, so there is not a list with characters and pose a threat?
ASKER CERTIFIED SOLUTION
Avatar of Garry Glendown
Garry Glendown
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Russell_Venable
Russell_Venable
Flag of United States of America image
I think its important for me to add info here. Its not safe by any means to leave single quotes in. If you absolutely need too. Make sure you filter for those and add a (\) to each single quote so as to not execute a command for your SQL database, this can be achieved by using "addslashes()". Thought if you dont need those quotes at all. I would disable the option "magic_quotes_gpc" that is on by default. You should use "mysql_real_escape_string" or "mysqli_real_escape_string" to escape variables or query's before executing it before anything that has a user definable variable can reach the SQL query. Also note that you need to filter for XSS attacks as well. You can read more about a few other attacks here and fixes for those attacks Foiling cross site forgery. Good luck!