I know most of the answers will say use PDO/Mysqli but I'm trying to see if I can do it this way then move on to PDO/Mysqli still learning:
Will this function be enough to prevent mysql injection?
function anti_inject($sql)
{
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"), "", $sql);
$sql = preg_replace("/[^a-zA-Z0-9]+/", " ", $sql);
$sql = mysql_real_escape_string($sql);
$sql = trim($sql);
$sql = strip_tags($sql);
$sql = addslashes($sql);
$sql = strtolower($sql);
return $sql;
}
Looking for a better replacement for this line $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|*|--|\\)/"), "", $sql);
As I do want to check for names that have "from" "select" "insert" gaming tags etc
I've disabled drop table from the mysql user
解决方案
Strictly speaking, in terms of SQL injection protection this function is awfully useless and unusable at the same time. While it may serve you in some particular case of yours, it cannot be used as a general purpose solution. Yet even for such a case it is awfully redundant.
So, why not to use a solution already proved to be error-proof for all the (covered) cases - PDO prepared statements?
153
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
