-1

I have done some research on how injection/XSS attacks work. it seems like hackers simply make use of the USER INPUT fields to input codes.

However, suppose I restrict every USER INPUT fields with only alphanumerics(a-zA-Z0-9) with preg_replace, and lets assume that I use the soon-to-be-deprecated my_sql instead of PDO or my_sqli.

Would hackers still be able to inject/hack my website?

Thanks!

realstarspace
  • 11
  • 7
  • That's the worst possible solution to the problem. You know what else would work? Stop accepting any user input what so ever. โ€“ user229044 Oct 08 '13 at 20:31
  • haha yea I understand that it is not the most optimal solution. But, what if my website is very simple and only needs user inputs alphanumeric? So in theory, this works right? If all user inputs are restricted, no worries for hacking whatsoever. โ€“ realstarspace Oct 08 '13 at 20:33
  • You're still solving it the wrong way. Just because it works under very narrowly defined circumstances doesn't mean it's a good solution. Just use the solution explicitly provided for this problem, that works *everywhere*, that all developers understand. โ€“ user229044 Oct 08 '13 at 21:11

1 Answers1

1

Short version: Don't do it.

Long version:

Suppose you have

SELECT * FROM my_table WHERE id = $user_input

If this happens, then some inputs (such as CURRENT_TIMESTAMP) are still possible, though the "attack" would be limited to the point of probably being harmless. The solution here could be to restrict the input to [0-9].

In Strings ("$user_input"), the problem shouldn't even exist.

However:

  • You have to make sure you implement your escape function correctly.
  • It is incredibly annoying for the end user. For instance, if this was a text field, why aren't white spaces allowed? What about รก? What if I want to quote someone with ""? Write a math expression with < (or even write something apparently harmless such as i <3 u)?

So now you have:

  1. A homebrew solution, which has to be checked for correctness (and may have bugs, as any other function). Bugs in this function are potential security issues;
  2. A solution which is unfamiliar to other programmers, who have to get used to it. Code without the usual escape functions is usually wrong code, so it's masssively surprising;
  3. A solution that's fragile. What if someone else modifies your code and forgets to add the validation? What if you forget the validation?

You are focusing on solving a problem that's already been solved. Why waste time doing something that takes time to develop and is hard to maintain when others have already developed proper solutions that take close to no effort to use.

Finally, don't use deprecated APIs. Things are deprecated for a reason. Deprecated can mean stuff like "we'll drop support at any minute" or "this is has severe issues but we can't fix it for some reason".

Deprecated APIs are supposed to be used by legacy applications of developers that did not have enough time or resources to migrate. When starting from scratch, use the supported APIs.

Community
  • 1
  • 1
luiscubal
  • 24,773
  • 9
  • 57
  • 83