What is Mysql Injection?

SQL injection refers to the act of someone inserting a MySQL statement to be run on your database without your knowledge. Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database. Source – tizag.com.

Protection Class in PHP:

This is my own code to filtered unwanted inputs by user: [ Don't forget to comment here for improvement ]

<?php

class SQLProcess {

function filter($array) {

$keyarray = array();
$valuearray = array();
$outarray = array();

while (list($key, $value) = each($array)) {

if(get_magic_quotes_runtime()) {
set_magic_quotes_runtime(false);
}

$badWords = “(delete)|(update)|(union)|(insert)|(drop)|(http)|(–)|(script)|(iframe)|(alert)|(XSS)”;

//Values Filter
$filtervalues = eregi_replace($badWords,”‘”, $value);
$filtervalues = mysql_real_escape_string($filtervalues);
$filtervalues = htmlentities($filtervalues,ENT_QUOTES);

//Key Filter
$filterkeys = eregi_replace($badWords, “”, $key);
$filterkeys = mysql_real_escape_string($filterkeys);
$filterkeys = htmlentities($filterkeys,ENT_QUOTES);

array_push($keyarray,$filterkeys);
array_push($valuearray,$filtervalues);

}
$outarray = array_combine($keyarray, $valuearray);
return $outarray;
}

}

$Process = new SQLProcess;

?>

Example Usage:

$filter = $Process->filter($_REQUEST);

print_r($filter);

$_REQUEST is an array with total inputs given by users through form.



Note: Comment here to improve this class. And also mysql_real_escape_string() will works only when Database is used(connected). If you not using Database! replace mysql_real_escape_string with addslashes.