-1

If I use say:

preg_replace('#[^a-z0-9]#i', '', $_POST['dangerousINPUT']);

Will this be enough to completely stop injection attacks? Furthermore, will it stop crazy characters that hackers use for these sort of attacks (non english alphabetical)

Thank you. I could not find an answer asking this specifically.

Jimbu
  • 17
  • 5
  • 1
    No Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Sep 21 '16 at 09:41
  • But you can't insert any characters besides a-Z, how is that possible? – Jimbu Sep 21 '16 at 09:42
  • There is no such thing as "crazy characters". There are just characters, lot's of 'em buggers. It might be that some are unfamiliar for you. But that does not say anything about those characters, does it? Only about you... – arkascha Sep 21 '16 at 09:51
  • 1
    Such strategies to get around common attack vectors are pretty poor, since they do not really address the issue itself. They try to work around it without really understanding what the issue is. Instead of filtering like that, why don't you simply solve the issue and make your code safe against such attacks? That is very well possible and also documented. – arkascha Sep 21 '16 at 09:52

2 Answers2

0

It's simply not enough.

Imagine something like this were implemented here on Stack Overflow. You would have been unable to post your question at all.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • Yes but what if its just a username input form or something? Wouldn't this be enough for that? – Jimbu Sep 21 '16 at 09:46
0

Yes, blindly replacing all characters outside [a-z0-9] might work in most cases, but it is not the correct way to do it. Use functions / methods which were specifically designed for this task in a given context:

Even if you want to remove these characters from an username, you should still escape the final value or use prepared statements. This allows you to change your mind about which characters are allowed without having to revise all of your code and introduce proper sanitization later.

Shira
  • 6,392
  • 2
  • 25
  • 27