Is using filter_var () enough to avoid SQL injection?

3

Is there a way to prevent the input variables in a query in MySQL using filter_var?

    
asked by anonymous 23.06.2016 / 15:26

3 answers

3

No. filter_var is intended to validate and filter fields. Its primary purpose is not to avoid SQL Injection-specific attacks, but only to sanitize data.

Of course, for some cases, it may actually be useful for you to validate and filter data that will be used in your query.

For example:

 $id = filter_var($_GET['id'], FILTER_VALIDATE_INT);

 $id === false && die("O valor do ID não é válido");

 $sql = "SELECT * FROM usuarios WHERE id = {$id}"

I believe that prepared statments of the PDO can be a good solution to reduce the risk of you leaving your code vulnerable.

In my case, I prefer to use libraries that work with database data (such as Doctrine, Eloquent, Readben), since in their development there is a concern about not allowing this type of attack.

Another thing is also not trusting in the user's good intentions. If your code is poorly written it can also be a problem that will not be solved with data sanitization functions either.

I will not say much because I think we already have good content here on the site to "avoid this attack".

Links:

23.06.2016 / 15:56
4

No filter_var () is useful for doing some types of validations like

  • Is it empty?
  • Is it numeric?
  • Is it an IP? (among others)

To prevent sql injectction use the function mysqli_real_escape () if you are using the mysqli class

Or use prepared statements if you are using the PDO class

    
23.06.2016 / 15:39
-2

I use a super basic function that simply takes the '(apostrophe) and substitutes for two apostrophes (' '), and takes the (backslash) and substitutes for \. So there is no way to have an injection.

    
25.06.2016 / 21:04