I have the following method in my php CRUD class:
//secure search method
function secureInput($ary = array()){
$this->connect();
$securedArray = array();
//print_r($ary);
foreach($ary as $val){
//echo($val.'<br />');
$val = str_replace("'","",$val);
$val = str_replace("#","",$val);
$val = str_replace("~","",$val);
$val = str_replace("!","",$val);
$val = str_replace("%","",$val);
$val = str_replace("*","",$val);
$val = str_replace("drop","",strtolower($val));
$val = str_replace("show","",strtolower($val));
$val = str_replace("insert","",strtolower($val));
$val = str_replace("create","",strtolower($val));
$val = str_replace("update","",strtolower($val));
$val = str_replace("select","",strtolower($val));
$val = str_replace('"',"",$val);
$val = str_replace("+","",$val);
$val = str_replace(";","",$val);
$val = mysql_real_escape_string($val);
$securedArray[] = $val;
}
return $securedArray;
}
I want to use the following code to take input and return clean input (hacking xss proof input) and then use it for my database queries like insert update and retrieve etc
require_once('classes/classes.php');
$crud = new CRUD();
$ar = array("Shah Hussai#n","shahhus';sai;'n3#05@xyz.com","",234);
$name = "";$email = "";$empty ="";$int = "";
$ary = $crud->secureInput($ar);
if(!isset($ary[0]) || empty($ary[0])){
echo("Please provide your name<br />");
}
else{
//update variables here
$name = $ary[0];
$email = $ary[1];
$empty = $ary[2];
$int = $ary[3];
}//if
echo $sql = "INSERT INTO tbl(name,email...) values($name,$email,$empty,$int)";
Now i am not sure either this will protect my code from hackers Cross Scripting and sql injection attempts? or i should do something else for taking input safely?
Thanks in advance
