Opposite of str_replace?

[stickynote427]

I was reading about SQL injections at school today and thought it would be smart to apply some sort of character stripping on my pages that use user input with SQL queries, along with the smart quotes and mysql_real_escape_string() that I think I already have.

 

Basically, I want to strip everything except allowed characters (that I specify) from a string before using it. Like, a function that does the opposite of str_replace(). Is there something like this?

 

I had written a piece of code that seemed to do this fairly well, but now I can't seem to be getting it to work.

 

<?php

$string="yo"; // string to remove from
$allowed = array("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"); // allowed characters
$removeString = str_ireplace($allowed,"|",$string); // replaces all good characters with |, leaving only bad characters
$remove = explode("|",$new); // put all bad characters that are in the string in to an array
if (str_ireplace($remove,"",$string) != $string) // if the bad characters removed from the string is not equal to the original string
{
  echo "There was an error.";
}
else // if no bad characters were stripped
{
  echo "Success.";
}

?>

 

But I get "Success." every time, regardless if the string has non-alpha characters.

 

Thanks.

[teamatomic]

You have confused $removeString and $new, change new to $removeString. Then rethink what you are doing as its kinda logic dead. Just return the altered string.

 

errors:

you use a pipe to replace the removed strings then explode into an array on the pipe. That may give you an array that has blocks of characters

array=ab,def,s,t,u,wxyz - as an example

you should use str_replace to remove the pipe then preg_split('//', $str, -1); to make the character array.

[stickynote427]

Thanks.

 

What do you mean it's logic dead?

 

Can you give an example of a string entered in which an array like ("ab","def","s","t","u","wxyz") would be returned? I don't really understand. :-/

 

I used preg_split() instead of explode and I seem to get the same results. (EDIT: Never mind, I'm getting some errors returning the stripped string.)

[roopurt18]

Why not just do this:

<?php
$stripped = preg_replace( '/[^a-z0-9_]/i', '', $string );
?>

 

Might have to adjust the regexp a bit to get the desired affect.

[Mchl]

Ok... what's the point of all this? SQL injection prevention? Just use mysql_real_escape_string() and DO NOT use magic quotes (if that's what you had in mind writing 'smart quotes' - they're not so smart really). And if you want to be really safe, go towards prepared statements, and don't excersise half-baked methods like this one.

[stickynote427]

roopurt18: That's true, in this case. I was kind of hoping for a way you could specify exact characters to not remove. What would the regexp look like for a-z, 0-9, and _, @, and .?

 

Mchi: Okay, so is it safer to use mysql_real_escape_string() by itself instead of with magic quotes ("smart quotes"...yeah, my mistake, sorry). And I will look into prepared statements. Thanks.

[Mchl]

In fact, with magic_quotes enabled, you should first run stripslashes on any variable you pass to mysql_real_escape_string in order to avoid double escaping.