SQL Code Stripping... preventing SQL injections?

[mschrank99]

Does anyone know if there is a way to strip out SQL code from $_POST variables?

Perhaps a function similar to strip_tags but instead of catching HTML, it catches SQL statements?

Thanks,

Matthew

[Crimpage]

I'm not sure how you would do that exactly. HTML is easily definable because they are enclosed within <>. SQL is not, unless you strip all SELECT, FROM and WHERE words from $_POST.

What sort of SQL injection are you worried about? are you directly running an entry from a post field into an sql statement?

If not, just look at addslashes().

Cheers,
Dave

[kenrbnsn]

The better function for this is [url=http://www.php.net/mysql_real_escape_string]mysql_real_escape_string()[/url]

Ken

[kevinkorb]

A way I like to clean my $_POST array...

[code=php:0]
<?php
function clean_array($array) {
    $new_array = array();
    foreach($array AS $key => $val) {
      $new_array[$key] = mysql_real_escape_string($val);
    }
    return $new_array;
}
?>
[/code]

[kevinkorb]

So then to use it.. (obviously)

[code=php:0]
$_POST = clean_array($_POST);

//Or to leave the $_POST intact.

$_clean = clean_array($_POST);
[/code]

[c4onastick]

I use PEAR::DB, its all taken care of internally.