sql injections

[stevehossy]

I own a game site. THere is always one user who exploits a page and does an sql injection. This game was bought from a site, the codes are very vulnerable. So im starting to add some protection to the scripts. FOr text boxes, i did html special chars. So its not possible to send a query. Is this good? Also, ive added this:

 

$url =$_SERVER['REQUEST_URI'];
$code_entities_match = array('%','--','!','~','`','(',')','select','from','where','-','$','#','*');
$code_entities_replace = array('','','','','','','','','','','','','','');
$url1 = str_replace($code_entities_match, $code_entities_replace, $url);
if($url != $url1)
{
die("<b>Error</b>");
}

 

I know these two things wont protect me from all. BUt is it a good start? Also any other sql protection tips? THanks!

[sKunKbad]

if your using php5, there the PECL filter_input function

[sKunKbad]

oh yeah, and the mysql_real_escape_string function is pretty standard sql injection prevention

[Monkuar]

oh yeah, and the mysql_real_escape_string function is pretty standard sql injection prevention

 

Give me and example on how to use that>

[stevehossy]

yah i need an example too.

[sKunKbad]

//This is the mysqli version. See the manual for plain mysql.
function clean_for_query($data){
global $db;
$data = mysqli_real_escape_string($db , trim($data));
return $data;
}
$clean = clean_for_query($_POST['dirty']);

[Monkuar]

ty sir

[5kyy8lu3]

first thing I would do is ban that user's account and IP address lol

[RussellReal]

for str replace you don't need to match the number of TO-REPLACE strings with WITH-REPLACE

 

for example

 

echo str_replace(array("abc","def"),"","abcdefghi"); // ghi

[Pedro999]

first thing I would do is ban that user's account and IP address lol

Absolutely, and seriously.