Function not working right

[Thy Gamer]

[code]<?php
function SafeGurad($tempinput) {
$tempinput = str_replace("%20","",$tempinput);
$tempinput = addslashes($tempinput);
$tempinput = str_replace("javascript","No_Java_Script_Allowed!",$tempinput);
$tempinput = str_replace("</script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("<script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("SELECT * FROM","No_SQL_Script_Aloud!",$tempinput);
$tempinput = str_replace("<","&lt",$tempinput);
$tempinput = str_replace(">","&gt",$tempinput);
//return $tempinput;
return($tempinput); //Not sure what one to use but they aint working
//Echo $tempinput;
}

$tempinput = " /<>/<r>/<R>/\/\/\/\/\<B><R><R> LOL PANTS javascript SELECT * FROM";
SafeGurad($tempinput);

php?> [/code]

It does not filter threw like it should, any idea why?

[ToonMariner]

From your code I can olny guess that the <> replacements are not workin as expected.

&gt &lt need a ; after them!

[kenrbnsn]

You should also look at the function [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a]().

BTW, the world you have spelled "Aloud" is really spelled "Allowed". If English is not your first language I can understand your mistake. If it is, I suggest learning how to use the correct word for the context.

Ken

[Guest footballkid4]

[!--quoteo(post=361104:date=Apr 2 2006, 10:04 PM:name=kenrbnsn)--][div class=\'quotetop\']QUOTE(kenrbnsn @ Apr 2 2006, 10:04 PM) [snapback]361104[/snapback][/div][div class=\'quotemain\'][!--quotec--]
You should also look at the function [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a]().

BTW, the world you have spelled "Aloud" is really spelled "Allowed". If English is not your first language I can understand your mistake. If it is, I suggest learning how to use the correct word for the context.

Ken
[/quote]
I was looking at that too, and I was just about to post about it.

Here are a few other things you should know:
1) You don't need to replace any of the SELECT * FROM's to anthing, because you aren't putting this statement inside mysql_query(), PHP just interprets it as regular text.
- Another reason: Even if you replaced SELET * FROM, what stops them from using: DROP TABLE table, or TRUNCATE TABLE table, or INSERT INTO table, or UPDATE table, or DELETE FROM table, or SELECT columname FROM table, or CREATE TABLE, or any of the other syntax bases.

2) You really don't need to change out <script> for anything either if you are using htmlentities()
- Also, this poses a similar problem as the last one. Say you wanted to replace <script>, but the user typed <script language="javascript"> or even <script language="javascript" asdf="yes"> which most good browsers will still understand

You should really get into preg_replace for what you are trying to do:
[code]preg_replace( "@<script[^>].+?>@is" , "" , $input )[/code]
etc...

[Kyo765]

[code]
<?php
error_reporting(E_ALL);
function SafeGurad($tempinput) {
$tempinput = str_replace("%20","",$tempinput);
$tempinput = addslashes($tempinput);
$tempinput = str_replace("javascript","No_Java_Script_Allowed!",$tempinput);
$tempinput = str_replace("</script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("<script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("SELECT * FROM","No_SQL_Script_Aloud!",$tempinput);
$tempinput = str_replace("<","&lt",$tempinput);
$tempinput = str_replace(">","&gt",$tempinput);
return $tempinput;

}

$tempinput = "%20 /<>///\/\/\/\/\ LOL PANTS javascript SELECT * FROM";
echo SafeGurad($tempinput);
php?>
[/code]

you got to fix your spelling and logic yourself tho.