-1
Does anyone know what this function would look like in PHP 7?
function AntiSqlInjection($dados){
if (!get_magic_quotes_gpc){
addslashes($dados);
}
$dados= strip_tags($dados);
$dados= preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables)/"),'', $dados);
return $dados;
}//end
$usuario= AntiSqlInjection($usuario);
$senha= AntiSqlInjection($senha);
2
The sql_regcase has long been obsolete, you can try to use as an alternative:
Of course you will have to adapt the code and read the documentation of how to use, not enough trade in, however when it comes to Mysql and what you are wanting to do is a anti-injection I really recommend that instead of doing all of this simply use the ready-made functions of the new Apis that already exist
You are probably using the old API even though the functions prefix it mysql_, if it is difficult to adjust the codes for the most modern Apis such as PDO or Mysqli then use simply:
mysql_real_escape (which is obviously obsolete also because it is part of the old API as it starts with mysql_)Should stay like this:
$usuario= mysql_real_escape($usuario);
$senha= mysql_real_escape($senha);
However it is highly recommended that you change your codes as soon as possible to PDO or MYSQLI, because the functions with prefix mysql_ no longer work in the latest versions of PHP (php 7+) and so sooner or later you will need to migrate to a server with php7 (if by chance your server uses PHP5), I recommend that you read:
If using the mysqli API a simple example to avoid injection is to use mysqli_real_escape_string, example:
<?php
$link = mysqli_connect("localhost", "usuario", "senha", "banco");
if (mysqli_connect_errno()) {
printf("Conexão falhou: %s\n", mysqli_connect_error());
exit;
}
$usuario = mysqli_real_escape_string($link, $_POST['usuario']);
$senha = mysqli_real_escape_string($link, $_POST['senha']);
if (mysqli_query($link, "SELECT * FROM usuarios WHERE login='$login' AND senha='$senha')")) {
... resto do código aqui
}
mysqli_close($link);
Or you may prefer Prepared statments from which the strings need not escape:
<?php
$link = mysqli_connect("localhost", "usuario", "senha", "banco");
/* check connection */
if (mysqli_connect_errno()) {
printf("Conexão falhou: %s\n", mysqli_connect_error());
exit;
}
/* Prepara uma instrução */
if ($stmt = mysqli_prepare($link, "SELECT * FROM usuarios WHERE login=? and senha=?")) {
/* bind parameters for markers */
mysqli_stmt_bind_param($stmt, "s", $usuario);
mysqli_stmt_bind_param($stmt, "s", $senha);
/* executa a query */
mysqli_stmt_execute($stmt);
... resto do código aqui ...
/* fecha o statement */
mysqli_stmt_close($stmt);
}
/* fecha a conexão */
mysqli_close($link);
1
is a function that was deprecated (became obsolete) many years ago but you can generate something
function my_Sql_regcase($str){
$res = "";
$chars = str_split($str);
foreach($chars as $char){
if(preg_match("/[A-Za-z]/", $char)){
$res .= "[".mb_strtoupper($char, 'UTF-8').mb_strtolower($char, 'UTF-8')."]";
}else{
$res .= $char;
}
}
return $res;
}
You can use the function as follows
$dados= preg_replace(my_Sql_regcase("/(from|select|insert|delete|where|drop table|show tables)/"),'', $dados);
Hi, with this I can add the words I want to restrict, like select|Insert|Where ? how would it look?
I changed the answer
Thanks, I’ll see how it goes
I put it on but it wasn’t like that
when added in the field like this: $usuario= $data($user); does not take 7
Browser other questions tagged php
You are not signed in. Login or sign up in order to post.
Obsolete: sql_regcase
– Don't Panic
There is no need to create an antSqljection for newer versions of php you can just use a PDO connection that is besides everything much easier to configure if you later want to change the type of database
– Marcos Brinner
Always look to use extensions from PDO or Mysqli processing the data to be processed by darlings through the Prepared Statements: https://www.w3schools.com/php/php_mysql_prepared_statements.asp
– user98628
In full php7 you using this function that even works right the best option is to use Prepared statements.
– rray