SQL injection filter

Question

Somewhat new to SQL injection and web security. I have looked through various posts on this topic but can't fathom the answer. I am trying to beat the filter below to inject an SQL command (in order to login with a known username, and no password)...

$filtered = $string;
$filtered_string = str_replace("admin'","",$filtered_string);
$filtered_string = str_replace("or","",$filtered_string);
$filtered_string = str_replace("collate","",$filtered_string);
$filtered_string = str_replace("drop","",$filtered_string);
$filtered_string = str_replace("and","",$filtered_string);
$filtered_string = str_replace("OR","",$filtered_string);
$filtered_string = str_replace("COLLATE","",$filtered_string);
$filtered_string = str_replace("DROP","",$filtered_string);
$filtered_string = str_replace("AND","",$filtered_string);
$filtered_string = str_replace("union","",$filtered_string);
$filtered_string = str_replace("UNION","",$filtered_string);
$filtered_string = str_replace("/*","",$filtered_string);
$filtered_string = str_replace("*/","",$filtered_string);
$filtered_string = str_replace("//","",$filtered_string);
$filtered_string = str_replace("#","",$filtered_string);
$filtered_string = str_replace("--","",$filtered_string);
$filtered_string = str_replace(";","",$filtered_string);
$filtered_string = str_replace("||","",$filtered_string);

I should add, this is a PHP based website - a testing environment, and as Alejandro points out, does indeed deserve to be hacked - I just don't know how

What language are you developing in. It would be easier if you could provide a bit more context. You could also look at this answer: [https://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements](https://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements) — Neophear, Jul 14 '20 at 20:48
Any website using this validation deserves to be hacked. Use parameters in each and every SQL query and this kind of SQL injection becomes a thing of the past. — Alejandro, Jul 14 '20 at 21:20
I should have added, it is a PHP based website - a testing environment and as Alejandro points out, does indeed deserve to be hacked - I just don't know *how* — ds_25, Jul 14 '20 at 21:25
Well, doesn't really tell if you could SQL inject it. Depends what the actual queries are and how this string is used in those. For example you could do like your code, but still use php PDO parameter binding. — user3647971, Jul 14 '20 at 21:45
Agreed, we don't have enough information to be sure what, if anything, you could do — ADyson, Jul 14 '20 at 22:19
not good way to avoid any attack there are more things may used — Mahmoud Magdy, Jan 16 '23 at 22:04

SQL injection filter

0 Answers0