Mystical Posted August 2, 2011 Posted August 2, 2011 Found this on my travels and was wondering if it would stop some sql injections during login? FUNCTION anti_injection( $user, $pass ) { // We'll first get rid of any special characters using a simple regex statement. // After that, we'll get rid of any SQL command words using a string replacment. $banlist = ARRAY ( "insert", "select", "update", "delete", "distinct", "having", "truncate", "replace", "handler", "like", " as ", "or ", "procedure", "limit", "order by", "group by", "asc", "desc" ); // --------------------------------------------- IF ( EREGI ( "[a-zA-Z0-9]+", $user ) ) { $user = TRIM ( STR_REPLACE ( $banlist, '', STRTOLOWER ( $user ) ) ); } ELSE { $user = NULL; } // --------------------------------------------- // Now to make sure the given password is an alphanumerical string // devoid of any special characters. strtolower() is being used // because unfortunately, str_ireplace() only works with PHP5. IF ( EREGI ( "[a-zA-Z0-9]+", $pass ) ) { $pass = TRIM ( STR_REPLACE ( $banlist, '', STRTOLOWER ( $pass ) ) ); } ELSE { $pass = NULL; } // --------------------------------------------- // Now to make an array so we can dump these variables into the SQL query. // If either user or pass is NULL (because of inclusion of illegal characters), // the whole script will stop dead in its tracks. $array = ARRAY ( 'user' => $user, 'pass' => $pass ); // --------------------------------------------- IF ( IN_ARRAY ( NULL, $array ) ) { DIE ( 'Invalid use of login and/or password. Please use a normal method.' ); } ELSE { RETURN $array; } } Quote
Mystical Posted August 2, 2011 Author Posted August 2, 2011 some? yes. all of them? nop. :) So if you added more to the array would it work? Actually if anyone has anything to add to make it so it does stop all attacks please do so. It would benefit everyone. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.