-1

Is there an SQL injection without including blank spaces or Special Characters, ie just composed of alphabets and numerical?

We are disabling spaces and special characters in input fields along with employing Prepare and Bind statement in order to make the website more secure.

Even after all these measures, what is the chance of malicious activity from a hacker?

Note : we are using md5 hasing for encryption.

joker
  • 50
  • 5
  • You don't need to change the inputs. Spaces and special characters cannot cause a problem if you use parameters. – Bill Karwin May 16 '22 at 16:33
  • 1
    *"We are disabling spaces and special characters in input fields"* - This is pointless, and unnecessarily limiting. *"we are using md5 hasing for encryption"* - Hashing and encryption are two very different things. MD5 is for hashing, not for encryption. And it **should not be used** for hashing passwords. PHP [provides functionality for password handling](https://www.php.net/manual/en/book.password.php). – David May 16 '22 at 16:33
  • 1
    As for SQL injection itself... Don't start by focusing on the tools you use, start by focusing on what SQL injection is. SQL injection occurs when the system executes user-modifiable values as code. So, at a high level, *don't execute user-modifiable values as code*. The *most common* way to prevent this is to treat values as query parameters bound to prepared statements. But, of course, this is not a magic wand that covers all possible cases. You need to apply the high-level concept to your cases, not just wave the magic wand. – David May 16 '22 at 16:36
  • @David what high level concept are you referring to? – joker May 16 '22 at 16:41
  • @joker: *"SQL injection occurs when the system executes user-modifiable values as code. So, at a high level, don't execute user-modifiable values as code."* – David May 16 '22 at 16:41
  • @David please suggest the method to carryout the same? – joker May 16 '22 at 16:43
  • 2
    @joker: Again, you're focusing on the magic wand. You're asking for a series of steps you can blindly repeat which will keep your software secure. This is [the wrong approach](https://en.wikipedia.org/wiki/Cargo_cult_programming). You can refer to the linked duplicate for some specific suggestions on how to effectively use database tools in PHP without exposing SQL injection vulnerabilities *for most cases*. But to be effective, you have to understand the concept, not just repeat the steps. So the method is... Examine where you execute database code and determine if the user can change it. – David May 16 '22 at 16:46

0 Answers0