I would like to know if it is possible to create request with no space with MySQL ?
I tested the security of my own website, and I've put in: str_replace(" ", "", $POST['id']); All sql injection becomes :
id=-1 UNION SELECT pass...
after strreplace :
-1UNIONSELECTpass
Would that give me a high level of security on my own website? Are there other ways to inject SQL into a query ?
I've already put an mysql_real_escape_string() on the query.
Preventing SQL injection is quite a broad topic (and there's plenty out there to read on it), but in the example that you've written a simpler prevention method would probably be to ensure that you're only accepting an integer. So something like:
var $id = (int)$_POST['id'];
And then use $id in your query.
prepare with PDO
http://php.net/manual/en/pdo.prepare.php
Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.
see also this best question / answer :
@Boris, I recommend you follow @haim's advice and use PDO. It will provide several advantages, such as making your app more database-agnostic, and providing escaping mechanism to prevent SQL injection for whatever database engine you've opted to work with.
I've written an article on PHP webapp security some years ago that includes a section specifically on SQL injection problems. I'm sure there's better and more current material out there now but it can't hurt to check it out to learn more about the different types of security concerns and how to prevent them: Real-world PHP Security. Good luck!
