Edit if you plan on answering this question please at least read it. Don’t simply read the title, then Google ‘sql injection php’, and paste the results as an answer

First, I’m well aware that there are lots of resources available on how best to prevent SQL injection, but my question is specifically about if very little effort can be enough.

An organization I contract for was recently told that partners’ (PHP) websites developed by their previous contractor have been found to have major security issues (my personal favourite is by using the string ‘Emergency’ in a URL you can gain unauthenticated access to any page in the site…)

I have been asked to review the security of a PHP site and highlight any major issues. I know from previous experience with this site that the standard of coding is truly awful (e.g. huge swathes of code duplicated across pages with around 5% variation, hundreds of unused variables, $var = “yes” in place of booleans, SQL statements written into every single script, unsecure by default (some pages forget to authenticate users), etc). Reviewing the site is a painful reminder that there are some real morons in the world that call themselves developers.

Because of these code quality issues I want to only highlight the serious and semi-serious security problems. If I note every problem with the site my review will take weeks.

I am not an expert on SQL injection, but it’s my understanding that you must be able to close an existing query’s quoted string before injecting any other kind of statement. So is the following line of code sufficient?

"'".str_replace("'","''",$_POST['var_name'])."'"

I’m not interested in suggestions about improving or changing the code, just whether it’s possible in this scenario for SQL injection via $_POST[‘var_name’]. If you’re not familiar with PHP str_replace does replace all instances of the first argument with the second, not just the first instance.

Any input much appreciated.