code511788465541441 code511788465541441 - 1 year ago 108
PHP Question

Would stripping out the semicolon character prevent SQL injection?

Since statements require a semicolon (

) would removing it from a string prevent SQL injection?

Answer Source

No, take this as an example

SELECT * FROM users WHERE password = '$pw'

If $pw is ' or ''=', the statement becomes the following:

SELECT * FROM users WHERE password = '' or ''=''

Hence you select the first user in the DB, and you've gained access.

Equally in PHP, the mysql_ family of functions only allow you to issue a single request, even if you have multiple separated by a semicolon. In any case, most SQL injection attacks don't use the semicolon anyway.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download