Home/ Questions/Q 7405151
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T05:21:33+00:00

I’m using the ezSQL PHP class for MySQL queries. Since all of my queries

  • 0

I’m using the ezSQL PHP class for MySQL queries. Since all of my queries pass through the $ezsql->query() function, I thought it would be a good idea to implement a method to block common SQL injection techniques from $ezsql->query().

For example, the most common one is probably 1=1. So this regular expression should be able to block all variations of that:

preg_match('/(?:"|\')?(\d)(?:"|\')?=(?:"|\')?\1(?:"|\')?/',$query);

This would block "1"="1", '1'=1, 1=1, etc.

Is this a good idea? If so, what are some other common patterns?

Edit: Forgot to mention, I do use validation and sanitation. This is just an extra precaution.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Is this a good idea?

    No. For two reasons:

    1. You’re doing it wrong (yes you just failed with your bare approach of a SQL blacklist). And no, I won’t tell you how you could improve that because of 2:
    2. It’s a blacklist approach. You should not use a blacklist approach inside the database class itself. That’s no added pre-caution, it’s just useless. Blacklist could be added additionally at the request level of the webserver for example.

    Instead use an existing blacklist, don’t re-invent the wheel. If you want to learn how to develop your own SQL blacklist layer, help with the development of such existing components. This sort of security is not out-of-the-box so that you can just throw in a question like yours and you can actually expect concrete answers. Take care.

    • 0