Anti-SQL Injection
Snippet Menu
-15
Thu. Oct. 12th, 2006 3:28 PM 
1 of 1
ammonkc
Anti-Injection | Injection | mysql | PHP | SQL 
5 comments
Anti-QSL Injection. I'm sure it could be better, so any improvements are welcome.
<?php
function anti_injection( $user, $pass ) {
# We'll first get rid of any special characters using a simple regex statement.
# After that, we'll get rid of any SQL command words using a string replacment.
$banlist = array (
"insert", "select", "update", "delete", "distinct", "having", "truncate", "replace",
"handler", "like", " as ", "or ", "procedure", "limit", "order by", "group by", "asc", "desc"
);
// ---------------------------------------------
if ( eregi ( "[a-zA-Z0-9]+", $user ) ) {
$user = trim ( str_replace ( $banlist, '', strtolower ( $user ) ) );
} else {
$user = NULL;
}
// ---------------------------------------------
# Now to make sure the given password is an alphanumerical string
# devoid of any special characters. strtolower() is being used
# because unfortunately, str_ireplace() only works with PHP5.
if ( eregi ( "[a-zA-Z0-9]+", $pass ) ) {
$pass = trim ( str_replace ( $banlist, '', strtolower ( $pass ) ) );
} else {
$pass = NULL;
}
// ---------------------------------------------
# Now to make an array so we can dump these variables into the SQL query.
# If either user or pass is NULL (because of inclusion of illegal characters),
# the whole script will stop dead in its tracks.
$array = array ( 'user' => $user, 'pass' => $pass );
// ---------------------------------------------
if ( in_array ( NULL, $array ) ) {
die ( 'Invalid use of login and/or password. Please use a normal method.' );
} else {
return $array;
}
}
?>
Ammon Casey
Comments
Voting
Votes Up
Votes Down
$_user = addslashes($user);
$_pass = addslashes($pass);
$sql = "...(whatever)... WHERE user = '$_user' AND pass = '$_pass' ";
For example...
$dbh->do("INSERT INTO users (first_name,last_name,username,password) VALUES (?,?,?,?)",{},$first_name,$last_name,$username,$password)