Protect Sql injection with PHP function

Question

Php function to prevent SQL injection.

I am developing a Wordpress project wich I require users to insert some data of their need. I have created new tables in database for my use, though, now I need to be safe and protect from SQL injection.

For this use I have created following var.

function sql_escape($var){
if(is_string($var)) {
$result = strip_tags(addslashes(str_replace(array('SELECT', 'select', 'DELETE', 'delete', 'INSERT', 'insert', 'JOIN', 'join', 'CREATE', 'create', 'UPDATE', 'update', 'FROM', 'from', 'WHERE', 'where', '*', '=', '+', '-', '<', '>'), '...', $var)));
return $result;
}

if( is_numeric($var) || is_float($var) ){
    $result = $var;
    return $result;
}}

Do you think this could be enough ? Thanks everyone for support.

score 0 · Answer 1 · answered Dec 27 '18 at 09:43

In order to sanitize your SQL queries, you should use prepared statements

in a wordpress development environment, you have this:

$wpdb->prepare(
  "SELECT something FROM table WHERE foo = %s and status = %d",
  $name, // an unescaped string (function will do the sanitization for you)
  $status // an untrusted integer (function will do the sanitization for you)
)

source: Worpress Developers Docs

Protect Sql injection with PHP function

1 Answers1