issues with anti sql injection code...

Hi guys,

I'm using this code for anti sql injection:

foreach ($_GET as $k => $value)
{
    $_GET[$k] = ereg_replace("[^A-Za-z0-9\,\ \?\_\@\.\]", "",$value);

}
foreach($_POST as $v => $value)
{
    $_POST[$v] = ereg_replace("[^A-Za-z0-9\,\ \?\_\@\.\]", "",$value);
}

foreach($_COOKIE as $Y => $value)
{
    $_COOKIE[$Y] = ereg_replace("[^A-Za-z0-9\,\ \?\_\@\.\]", "",$value);
}

PHP:

and now I'm having some issues adding data to my database because it will remove all the slashes and what I'm trying to add to the database is an url ..

So i have a form in post method with a text input where i want to copy an url there

example: ( $_POST['url'] being http://google.com/ )

$somevar = $_POST['url'];

PHP:

the anti sql code is making the url like this:

httpgoogle.com

PHP:

how can I fix this?

 

This could be good for you to use instead? Or maybe change the / instead the html code of it. "/" then change it back when your ready to display the code?

function makesafe($varvalue)
  {
     
      if (empty($varvalue))
      { $varvalue = null; }
      else
      {
          $varvalue = htmlentities($varvalue, ENT_QUOTES);
          $varvalue = strip_tags($varvalue);
          $varvalue = stripslashes($varvalue);
          $varvalue = str_remove($varvalue,
                      array('SELECT',
                            'UNION',
                            'UPDATE',
                            'DELETE',
                            'WHERE',
                            '\r')
                      );
          $varvalue = trim($varvalue);
      }
      return $varvalue;
  }

function clean($str)
  {
     $str = strip_tags($str);
     $str = ereg_replace('[^a-zA-Z ]', ' ', $str);
     $str = eregi_replace(' +', ' ', $str);
     $str = trim($str);
     $str = strtolower($str);
     return $str;  
  }

function clean2($str) {
    $str = strip_tags($str);
    $str = preg_replace('/([^a-z ]+)/i', ' ', $str);
    $str = preg_replace('/([ ]+)/', ' ', $str);
    $str = strtolower($str);
    return $str;  
}

PHP:

 

Just forget the script you posted, regular expressions are not the right way to prevent SQL injections. Why would you remove characters when you can escape them? And you shouldn't use eregs anyway as these are deprecated in PHP 5.

Use mysql_real_escape_string or prepared statements.
Look around here: http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php and here: http://stackoverflow.com/search?q=sql+injection

 

indeed, use mysql_real_escape_string and use your regexes for validating input. So if you want to validate a link use php.net/filter_var with FILTER_VALIDATE_URL

 

Do not use regular expressions. This is not good practice.

Use the mysql_real_escape_string or mysqli->escape_string functions.

 

so by using mysql_real_escape_string at my sql queries im totally preventing sql injections ?

thank you.