php, preventing mysql injection by using gzcompress?
Would it be possible to prevent mysql injection using the gzcompress (and aft开发者_运维问答er retrieving it from the database, the gzuncompress) function? Or is there a reason why this would not work? Or is there a reason that this would not be a good idea at all?
This is a bad idea because
Theoretically, there might be a sequence of data that, when compressed, leads to a SQL injection or simply breaks the query
gzcompressed data can't be properly indexed and searched - you'll have a database full of garbled characters
gzcompression is computationally expensive
simply always sanitize your data before entering it into a database, using the string escaping method of your library (like mysql(i)_real_escape_string()
) or parametrized queries.
If you do that reliably, no further protection is necessary.
to protect against SQL Injection attacks, use PDO's parameterized queries.
SQL injection can be prevented 1 of 2 ways. You can use parameterized queries or you can properly sanitize values when building your SQL statements.
Now, what you are suggesting will probably prevent malicious injections into the database, but that does not eliminate the possibility that will introduce SQL syntax errors (effectively SQL injection) into your SQL statements.
Also, by using compression functions, it will eliminate the possibility of viewing or searching the contents of the database without going through decompression.
This is a novel approach to avoiding SQL injection, but will cause you more problems than it actually solves. You really need to stick with the tried and true solutions.
- OWASP - SQL Injection
- Steve Friedl's Unixwiz.net Tech Tips - SQL Injection Attacks by Example
- MSDN - SQL Injection
精彩评论