MySQL Injection: If I use a function that replaces \, <, >, ', " with their HTML code each time I execute a query, is it bulletproof?

Question

Further explanation:

I use custom PHP / MySQL functions to execute my queries (dynamic MySQLi, not prep. statements).

If I include in my function a code that replaces the following chars, \ < > ' " - ; ( ) with their HTML code, before executing the query, is it possible to bypass this security measure? If so, then can you, please, explain how?

Furthermore, I am not interested in running prepared statements, or any other kind of escaping script or function. Also, I will initially convert the input string to UTF-8.

P.S.: I know this question has a lot of versions, is debatable and controversial, but I searched for and have not found a satisfying answer.

Thank you in advance for your wise answers.

It all depends on the context those values will be used in. But why don’t you simply use already existing measures? — Gumbo, Jun 30 '13 at 18:18
One of the most important reasons is because I want to learn how to protect a website from SQL injection. I want to understand thoroughly how this measures work, not only apply them. Vis-a-vis prepared statements, they significantly slow my code writting speed. — , Jun 30 '13 at 18:48
There are two types of parameterized queries: One is evaluated by the programming language and one by the database using prepared statements. Unfortunately, PHP’s standard library does only support the latter, requiring quite verbose syntax (prepare, bind, execute). However, there are libraries which do this with just one command, something like `execute("select foo from bar where baz=?", param)`. — Gumbo, Jun 30 '13 at 19:24
Thank you, Gumbo. This is valuable. Might be a viable alternative to what I had in mind. — , Jun 30 '13 at 19:27

score 0 · Accepted Answer · edited May 23 '17 at 12:05

0

Blacklisting is ineffective because there are so many different types of encodings and characters you can miss. Check out the Web Hackers Handbook for a few of the techniques.

But, even if we ignored encodings, there are lots of little implementation stumbling blocks. If you only pass over the input once, a statement could be crafted that still creates malicious input.

It's worth mentioning that you've missed several of the most important characters in your post, like ";" and "--".

The correct way to do this is with parameterized queries.

Check out this question for some more detail on implementation.

edited May 23 '17 at 12:05

Community

1
1

answered Jun 30 '13 at 18:22

alexphilipp

215
2
9

Thank you for your valuable advice, I have updated my question. I will take a look over the book you mentioned, but that will take a while. Assuming I primarily convert the string to UTF-8 format and add the other 2 chars you mentioned, is it still possible to bypass this security measure? P.S.: As I told Gumbo, parametrized queries slow my code writting speed. – Jun 30 '13 at 18:51

MySQL Injection: If I use a function that replaces \, <, >, ', " with their HTML code each time I execute a query, is it bulletproof?

1 Answers1