Sanitize mysql injection string with preg_match

Question

I want to sanitize data against mysql injection. So I need to write a pattern to recognize and remove 4 main mysql SELECT, Replace, DELETE , UPDATE.

I want to use this general rule for array_map

$_POST = array_map('stz',$_POST);

However I stuck in to write that pattern to against happens like this " ' AND 1=1; SELECT * FROM test_table "

Answer 1

There are a number of ways you can do it. Here are a few:

Create a variable each time

$clean_forename = mysqli_escape_string($db, $_POST["forename"]);

Create a clean array

$clean = array();
$clean["forename"] = mysqli_escape_string($db, $_POST["forename"]);

Sanitize in the SQL query

$sql_query = "UPDATE table SET forename='".mysqli_escape_string($db, $_POST["forename"])."'";

Use a foreach

$set = array();
$keys = array('forename', 'surname', 'email');
foreach($keys as $val) {
  $safe_value = mysqli_escape_string($db, $_POST[$val]);
  array_push($set, "$val='$safe_value'");
}
$set_query = implode(',', $set);
$sql_query = "UPDATE table SET $set_query";

Answer 2

Don't use regex. there is dedicated function for cleaning if you wish to clean all your post array you can use simple foreach:

<?php
    $cleanpostArr = array();
    foreach($_POST as $postkey => $postvalue){
      $cleanpostArr[mysqli_escape_string($db,$postkey)] = mysqli_escape_string($db,$postvalue);
    }
?>