I tried to modify my manually building queries in PHP to prevent SQL Injections with PDO or by MySQLi. It's not easy, the SQL query building uses a few While and my programming skills are basic.
Example
$sql="SELECT * FROM myTable WHERE (columnA LIKE '%" . $_POST["searchString"] . "%') OR (columnB LIKE '%" . $_POST["searchString"] . "%')";
So I was wondering if it would be OK to just delete some SQL command in the $_POST["searchString"] before inserting it in the query, for example:
CREATE DATABASE, ALTER DATABASE, DROP DATABASE, RENAME TABLE, CREATE USER, SET PASSWORD, INSERT INTO, UPDATE, DELETE FROM, SELECT, SELECT DISTINCT, ORDER BY, GROUP BY, UNION, UNION ALL, UNION SELECT, INNER JOIN, LEFT JOIN, RIGHT JOIN, CROSS JOIN.
Would that be a safe way to prevent SQL Injections?
Thanks, Andy
from Recent Questions - Stack Overflow https://ift.tt/2S1L3yX
https://ift.tt/eA8V8J
No comments:
Post a Comment