Deprecated: Function sql_regcase() is deprecated

[iantoo]

Hi,

 

I wonder if someone could help me, Just moved to a new server running PHP5 and getting the "Deprecated: Function sql_regcase() is deprecated" error, I don't want to disable the messages in php.ini, I would prefer to get the coding right.

 

The error relates to the anti-injection function posted below:-

 

function anti_injection($sql)
{
       // removes words that contain sql syntax
       $s = array("`","~","!","@","#","$","%","^","&","*","(",")","+","=","[","]",";","<",">","http","//","www");
       $sql = str_replace($s, "", $sql);
       
       $sql = preg_replace(sql_regcase("/(from|truncate|expalin|select|insert|delete|where|update|empty|drop table|limit|show tables|#|\*|--|\\\\)/"),"",$sql);
       $sql = trim($sql); // strip whitespace
       $sql = strip_tags($sql); // strip HTML and PHP tags
       $sql = addslashes($sql); // quote string with slashes
       return $sql;
}

 

If anyone can help recode the snippet it would be greatly appreciated.

 

Thanks

Ian

[cpd]

Your anti injection function prohibits people from using common characters and words. E.g. in that previous sentence I used "from". You shouldn't be doing that as its anti-input, not anti-injection.

 

regarding the sql_regcase function: it was deprecated in PHP V5.3.0 and shouldn't be used any longer. If your using a MySQL database you should look into mysql_real_escape_string as this is a built in "anti-injection" function for MySQL. Other DBMSs have their own methods.

[AyKay47]

Look at the PCRE extension.

 

http://www.php.net/manual/en/book.pcre.php

[iantoo]

Thank for your help, I have replaced the line with

$str = mysql_real_escape_string($str);

Is that secure enough?

[cpd]

Depends where you've added it. Plus you don't want to use addslashes if your using mysql_real_escape_string. It defeats the purpose. Read up on what mysql_real_escape_string actually does and you'll learn a lot more about sanitising data.