Why would you do all this? Just use addslashes() and let them send all the
crap they want. All it will do is cause your query to return zero results,
which you should be handling all ready. If you're ever including a variable
in an SQL query that's not enclosed in quotes, then make darn sure you've
validated it's an integer before you put it in there. (int)$value is the
easiest way, so long as a value of zero doesn't return anything from the
database (because a string will evaluate to (int)zero).
---John Holmes...
----- Original Message -----
From: "Anders Thoresson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 18, 2002 8:58 AM
Subject: [PHP] preventing sql injections
> Would this function do the trick?
>
> <?php
>
> // validate.php - functions that validates form input
>
> function validate_string($unsafe_string) {
>
> // create array containing bad words
>
> $badwords = array(";","--","select","drop","insert","xp_","delete");
> $goodwords = array(":","---","choose","leave","add"," ","remove");
>
> // check for occurences of $badwords
>
> for($i=0; $i<7; $i++) {
> $unsafe_string = str_replace("$badwords[$i]",
> "$goodwords[$i]","$unsafe_string");
> }
>
> $unsafe_string = AddSlashes($unsafe_string);
> $unsafe_string = trim($unsafe_string);
> $safe_string = $unsafe_string;
> Return $safe_string;
> }
>
>
> ?>
>
> Br,
>
> Anders
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
