hi everyone.
i would like to know if it is possible to create request with no space with MySQL ?
i test the security of my own website, and i've put an str_replace(" ", "", $POST['id']); All sql injection becomes :
id=-1 UNION SELECT pass...
afet strreplace : -1UNIONSELECTpass
i would have a hight livel securoty on my own website. they are other way to inject SQL query with this protection ?
PS : i 've already put an mysql_real_escape_string() on the query.
Preventing SQL injection is quite a broad topic (and there's plenty out there to read on it), but in the example that you've written a simpler prevention method would probably be to ensure that you're only accepting an integer. So something like:
var $id = (int)$_POST['id'];
And then use $id in your query.
prepare with PDO
http://php.net/manual/en/pdo.prepare.php
Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.
see also this best question / answer :
http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php
@Boris, I recommend you follow @haim's advice and use PDO. It will provide several advantages, such as making your app more database-agnostic, and providing escaping mechanism to prevent SQL injection for whatever database engine you've opted to work with.
I've written an article on PHP webapp security some years ago that includes a section specifically on SQL injection problems. I'm sure there's better and more current material out there now but it can't hurt to check it out to learn more about the different types of security concerns and how to prevent them: Real-world PHP Security. Good luck!