Now i realize... i sent only to the Shawn the modified functions... here goes: function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key => $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? addslashes(str_ireplace(trim($sanitizeRules,"",$value))) : str_ireplace(trim($sanitizeRules,"",$value)); endif; endforeach; return $arraSanitized; } Regards, Igor Escobar Systems Analyst & Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 2:55 PM, Igor Escobar <titiolinkin@xxxxxxxxx> wrote: > hun...by the way.... I forgot to mention, I am Brazilian and here in Brazil > these words are not common ... > > That is a recursive function and i can use array_map becouse i some cases > we obtain arrays of arrays and that will generate a error. > > > Regards, > Igor Escobar > Systems Analyst & Interface Designer > > -- > > Personal Blog > ~ blog.igorescobar.com > Online Portifolio > ~ www.igorescobar.com > Twitter > ~ @igorescobar > > > > > > On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie <nospam@xxxxxxxxxxxxx>wrote: > >> Igor Escobar wrote: >> > Hunnn... >> > >> > So, what do you think now? >> > >> > function _antiSqlInjection($Target){ >> > $sanitizeRules = >> > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP >> > TABLE','SHOW TABLES','*','--','='); >> > foreach($Target as $key => $value): >> > if(is_array($value)): $arraSanitized[$key] = >> > _antiSqlInjection($value); >> > else: >> > $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? >> > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) : >> > str_ireplace(trim($sanitizeRules,"",$value)); >> > endif; >> > endforeach; >> > return $arraSanitized; >> > } >> > >> Stay on list please. I don't like the ternary or the brace omissions >> (alternate syntax) :-) however.... >> >> My point was that in my opinion you don't need the replace at all. >> Also, do you really want to strip all 'or', * and = from all fields? >> These may be perfectly valid in your app. Or is a very, very common >> word, so is from and come to think of it, where, select, insert and >> delete. >> >> For any of the SQL injections to work in your query, there will need to >> be quotes or the backtick ` in the user supplied content. The quotes >> are escaped by mysql_real_escape_string(). >> >> I don't see any way for a SQL injection without the user input >> containing quotes or the backtick to break out of your query or >> prematurely terminate an expression. Some examples here, however they >> don't mention the backtick: >> http://us2.php.net/manual/en/security.database.sql-injection.php >> >> This might be more useful: >> >> ||||||function _antiSqlInjection($Target) >> { >> if(is_array($Target)) { >> $Value = array_map('_antiSqlInjection', $Target); >> } else { >> if(get_magic_quotes_gpc()) { >> $Target = stripslashes($Target); >> } >> // replace backtick with single quote or whatever >> $Target = str_replace("`", "'", $Target); >> $Value = mysql_real_escape_string($Target); >> } >> return $Value; >> } >> >> Thanks! >> -Shawn >> >> >> >