I am trying to run the following function to prevent sql injection in the body of a forum message:
<?php
ereg((SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|
(UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|
(INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|
(DELETE\sFROM\s[\d\w\'\=]+), "SELECT * FROM table");
?>
But nothing happens. What I want to do is censor out SQL commands in a message body. I can't just take out words like SELECT or DELETE as they might be used legitamately. So I came up with this idea.
If someone has an easier away around SQL injection in a forum, just let me know.
<?php
ereg((SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|
(UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|
(INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|
(DELETE\sFROM\s[\d\w\'\=]+), "SELECT * FROM table");
?>
But nothing happens. What I want to do is censor out SQL commands in a message body. I can't just take out words like SELECT or DELETE as they might be used legitamately. So I came up with this idea.
If someone has an easier away around SQL injection in a forum, just let me know.