0

I have this function cleaning strings for SQL injection

function _clean($clean) {
  $clean = utf8_encode($clean); 
  $array_find =    array(  "(" , ")" ,   "," , "#" ,  "'" , "@" , ";" , ":" , "&");
  $array_replace = array("\x28","\x29","\x82","\x23","\x27","@","\x3B","\x3A","&")
  $cleaned  = str_replace( $array_find,$array_replace, $clean);
  return $cleaned;
}

It works well but am noting cases where I have $cleaned = _clean("Relaxin'"); returns cleaned as "Relaxin'"; It fails to remove this single quote I am unsure why as I am converting to utf8. Does anyone have any ideas as I might have to re-write str_replace()?

I did try this first:

//uses https://www.ascii-code.com/ 
function _clean($clean) 
{ 
   $clean = utf8_encode($clean);  
   $array_find =    array(  "(" , ")" ,   "," , "#" ,  "'" , "@" , ";" , ":" , "&"); 
   $array_replace = array("&#40","&#41","&#44","&#35","&#39","@","&#59","&#58","&"); 
   $cleaned  = 
   str_replace( $array_find,$array_replace, $clean); 
   return $cleaned; 
}

leaving funny characters in when it was converted back to output to the internet 'Erotic Lounge (Bare Pearls) becomes 'Erotic Lounge &ුBare Pearls&෕' for some reason the brackets don't come back on screen.

I tried this

$array_replace = array("&(",")","&#44","&#35","&#39","@","&#59","&#58","&"); ad all seems ok.

Am still not getting ',' substituted ending up with silly characters '&ෘ'

for example in "Covers, Vol. 1" ends up "Covers&ෘ Vol. 1"

Does anyone know why it does this on the web page please .

function _clean($clean) {
$clean = utf8_encode($clean); 
$array_find =    array("è",      "ê",      "é",   "(" , ")" ,   "," , "#" ,  "'" , "@" , ";" , ":" , "&");
$array_replace = array("&egrave","&ecirc","&eacute","(",")","&#44","&#35","&#39","@","&#59","&#58","&");
$cleaned  = str_replace( $array_find,$array_replace, $clean);
return $cleaned;
}
LW001
  • 2,452
  • 6
  • 27
  • 36
  • Are you checking this cleaned value by printing it or the string which is getting stored in db? For sql injections, you should escape special characters or should use prepared statements which by default takes care of these things – Haridarshan Jul 02 '21 at 20:36
  • I am cleaning it from a trusted data and trying to get it into SQL so it doesn't dump the record on insert and so it prints on internet page ok. tried using ascii codes but it was ok until it hit brackets and went wrong inserting funny graphics –  Jul 02 '21 at 21:31
  • Note that in general "cleaning" data is the wrong approach. It's essentially trying to find "the right way" to allow user input to be executed as code. Why allow that in the first place? It's not specifically the question you've asked, but [How can I prevent SQL injection in PHP?](https://stackoverflow.com/q/60174/328193) will probably provide more help in the long run. Remove the SQL injection problem entirely and problems like this one become moot. – David Jul 27 '21 at 17:23

1 Answers1

2

What would you expect? You are replacing a single quote ' with \x27 which is just another way of writing a single quote.

If you want to replace the single quote with literally \x27, ie you expect the resulting string to be Relaxin\x27, you have to escape the backslash. Ie use

$array_replace = array("\\x28","\\x29","\\x82","\\x23","\\x27","@","\\x3B","\\x3A","&")

But to be honest, to prevent SQL injections, you should better trust on well established libraries, instead of coding that on your own. Use parameterized queries, so the framework will take care of correctly escaping the values where it's necessary. Correctly escaping string, oftentimes is more than just blindly replacing a bunch of characters, because it may also depend on the context where they appear ...

derpirscher
  • 14,418
  • 3
  • 18
  • 35