<?php $f = $_GET['f']; $array = explode(" ",$f); $count = count($array); $i = 0; do { if($array[$i] == "select" || $array[$i] == "insert" || $array[$i] == "delete") { echo "<b>SQL</b>"; exit; } } while ($i<=$count); ?> PHP: will this work ? as a basic SQL-INJECTIONS security
It would help, yes, but you're approaching it from the wrong direction. For security issues, you shouldn't work out what you DON'T want to allow. Instead you work out what you DO want to allow and only allow processing on those values. Hence, it really comes down to what the '$f' is representing. For example, if you're expecting an integer, parse it so that it is. For strings it's a little hard, but so long as you escape the string so that they can't sneak a bad single quote to finish off your SQL string early, you will be fine. You can also look at parameterised queries that are available in later versions of MySQL (and most, if not all, other SQL implementations). With parameterised queries you basically say "this is the query I'm about the perform, with variables here, here and here". Now MySQL knows what types of values should be 'there, there and there' and so will be able to account for SQL injection attempts.
EDIT: TwistMyArm beat me to it. This could be done with one line of Regex. if (preg_match('/\s+(select|insert|delete|drop)\s+/i', $_GET['f'])) { exit('Injection attempt.'); } PHP: Depending on what kind of data you want to enter or select, this could cause problems when the user wants to use one of these words in a normal text. However, using mysql_real_escape_string() and intval() is usually safe enough.
Hehe... mate, we posted within (a maximum) of 60 seconds of each other and according to the post IDs, there was only one other post on the entire forum between ours! I wouldn't call that beating you, I'd call that a photo finish