I am using this function to prevent sql injections :
function filter($input)
{
if(strpos(str_replace("''","","$input"),"'") != false)
{
return str_replace("'", "''", $input);
}
return $input;
}
is it safe to use it? can someone somehow bypass it? if is is possible to bypass it please give me a hint on how to secure this function or an example on how you see bypass for it
UPDATE : it is used on SQL Server
is it safe to use it?
can someone somehow bypass it?
At the very least it have to be
function SQLstrFormat($str)
{
return "'".str_replace("'", "''", $str)."'";
}
this way it would be safe, when applicable.
Please don't invent your own security solutions if you're not an expert on the problem domain. Have a look here http://php.net/manual/en/security.database.sql-injection.php to learn more about SQL injection.
Also use proper prevention with http://www.php.net/manual/en/book.pdo.php and http://www.php.net/manual/en/pdo.prepare.php
You don't need to invent your own if the tools are already there.
function mysql_pre($value) {
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists("mysql_real_escape_string(unescaped_string)"); //i.e. PHP >= v4.3.0
if($new_enough_php) { //PHP v4.3.0 or higher
//undo any magic quote effect so mysql_real_escape_string can do the work
if($magic_quotes_active) {$value = stripslashes($value);}
$value = mysql_real_escape_string($value);
} else { //before PHP v4.3.0
if(!$magic_quotes_active) {
$value = addslashes($value);
}
}
return $value;
}