Unorthodox SQLi Prevention

Recently I came across an unusual method of preventing SQL injection during a source code review. It is unusual in a sense whereby the function corrupts the input intentionally in an attempt to prevent SQL injection.

The following is a modified version of the function but the idea is similar:

function formatString($query){
    $key = "z9"; $output = "";
    $arr = str_split($query, 2);
    foreach($arr as $value){
        $output = $output . $value . $key;
    return $output;

The code snippet above splits the string using _strsplit() into an array of groups of 2 characters (I shall refer to this as group length for the remaining post). For example, if the input is “hello”, it will be split into [“he”,”ll”, “o”].

Subsequently, the code will append the $key value to the back of each element and return the output. So if the input was “hello”, the output, in this case, would be “hez9llz9oz9”.

And to revert the string to its original state, we can simply use the following function:

function unformatString($query){
  $key = "z9"; $output = "";
  $outarray = explode($key,$query);
  foreach($outarray as $value){
    $output = $output . $value;
  return $output