[SOLVED] Function to prevent SQL Injection and converting åäö - review this one plea

[Bisa]

I've been working on a form and it is functional at the moment, now it's time to secure it from injections and at the same time I figured I'd convert å, ä and ö so that they would be correctly rendered by browsers all around.

 

My function looks like this and I would appreciate any pointers regarding security so far as well as perhaps be able to spot why the åäö converting prevents anything else of my script to be run when I load the page

 

//Function to prevents SQL Injection and convert åäö
function secureFormInput($formdata) {
$formdata = ereg_replace("[\'\")(;|`,<>]", "", $formdata);
$formdata = trim($formdata);
$formdata = stripslashes($formdata);

$replace = array("å", "ä", "ö", "Å", "Ä", "Ö";
$with = array("å", "ä", "ö", "Å", "Ä", "Ö");
$formdata = str_replace($replace, $with, $formdata);

return $formdata;
}

 

Edit, oops, I posted this in the wrong section (reported to mod)

[luca200]

First of all

the åäö converting prevents anything else of my script to be run when I load the page

I'm sorry but my English is too bad to understand what you mean with this

 

Anyway, I have many objections to your code, and the first is a simple question: why not using mysql_real_escape_string() (or similar functions for other db's)?

I do not agree about altering what the user posted, so I will not change quotes to backticks.

Neither will I change non-latin characters to html entities: what if tomorrow you decide to use those data for other than a web page?

Another thing you should avoid is using stripslashes() when you're not sure that magic_quotes_gpc is on.

 

Regards 

[Bisa]

First of all

the åäö converting prevents anything else of my script to be run when I load the page

I'm sorry but my English is too bad to understand what you mean with this

 

Anyway, I have many objections to your code, and the first is a simple question: why not using mysql_real_escape_string() (or similar functions for other db's)?

I do not agree about altering what the user posted, so I will not change quotes to backticks.

Neither will I change non-latin characters to html entities: what if tomorrow you decide to use those data for other than a web page?

Another thing you should avoid is using stripslashes() when you're not sure that magic_quotes_gpc is on.

 

Regards 

 

Thnx for the feedback =)

 

1. about mysql_real_escape_string(), I tried using that but since I'm not putting stuff into a db at the moment I left out the link_identifier and that stopped the rest of the script to be executed so I simply removed the mysql_real_escape_string() for now.

 

2. html entities - well, I am unable to have my browser show å, ä and ö so I figured if I converted them I would solve that problem but yea, you are right I am planning on sending the user input via email and then it's not optimal to show html entities but instead the real characters.

 

Anyone got some code examples of how could put this to good use?

[Bisa]

never mind, I solved the å ä and ö problem by changing the charset to iso-8859-1, I'll google the security stuff - thnx for ur time ppl