<?php
function anti_injection
( $user,
$pass ) {
# We'll first get rid of any special characters using a simple regex statement.
# After that, we'll get rid of any SQL command words using a string replacment.
$banlist =
array (
"insert",
"select",
"update",
"delete",
"distinct",
"having",
"truncate",
"replace",
"handler",
"like",
" as ",
"or ",
"procedure",
"limit",
"order by",
"group by",
"asc",
"desc"
);
// ---------------------------------------------
if ( eregi ( "[a-zA-Z0-9]+",
$user ) ) {
$user =
trim ( str_replace ( $banlist,
'',
strtolower ( $user ) ) );
} else {
$user =
NULL;
}
// ---------------------------------------------
# Now to make sure the given password is an alphanumerical string
# devoid of any special characters. strtolower() is being used
# because unfortunately, str_ireplace() only works with PHP5.
if ( eregi ( "[a-zA-Z0-9]+",
$pass ) ) {
$pass =
trim ( str_replace ( $banlist,
'',
strtolower ( $pass ) ) );
} else {
$pass =
NULL;
}
// ---------------------------------------------
# Now to make an array so we can dump these variables into the SQL query.
# If either user or pass is NULL (because of inclusion of illegal characters),
# the whole script will stop dead in its tracks.
$array =
array ( 'user' =>
$user,
'pass' =>
$pass );
// ---------------------------------------------
if ( in_array ( NULL,
$array ) ) {
die ( 'Invalid use of login and/or password. Please use a normal method.' );
} else {
return $array;
}
}
?>