code511788465541441 code511788465541441 - 1 month ago 6x
PHP Question

Would stripping out the semicolon character prevent SQL injection?

Since statements require a semicolon (

) would removing it from a string prevent SQL injection?


No, take this as an example

SELECT * FROM users WHERE password = '$pw'

If $pw is ' or ''=', the statement becomes the following:

SELECT * FROM users WHERE password = '' or ''=''

Hence you select the first user in the DB, and you've gained access.

Equally in PHP, the mysql_ family of functions only allow you to issue a single request, even if you have multiple separated by a semicolon. In any case, most SQL injection attacks don't use the semicolon anyway.