Hi Everyone,

I'm making a new version of my Radio DJ Panel and I am currently in the process of completing all the core functions and that kind of fun stuff. So I obviously need a strong clean() function to protect against any sort of MySQL Injection to maintain the security of the script. So here's what I have so far... anyone see any problems with this or ways it could be improved?

<?php
function clean($string, $what = ''){
// Filter bad words
$filter = explode(',', settings('filterwords'));
foreach($filter as $word){
$string = preg_replace('/'.$word.'/i', settings('filterreplace'), $string);
return $string;
}
// Filter MySQL comments and stuff
$string = str_replace('#', '& #35;', $string);
$string = str_replace('--', '& #45;-', $string);
$string = str_replace('/*', '& #47;*', $string);
$string = str_replace('*/', '& #42;/', $string);
$string = str_replace('"', '& #34;', $string);
$string = str_replace('`', '& #96;', $string);
$string = str_replace("'", '& #39;', $string);
$string = str_replace(';', '& #59;', $string);
$string = mysql_real_escape_string($string);
// Add or strip slashes (based on magic_quotes)
if(get_magic_quotes_gpc()){
$string = stripslashes($string);
}else{
$string = addslashes($string);
}
// General cleaning
if($what == null){
$string = htmlspecialchars($string);
$string = htmlentities($string);
$string = nl2br($string);

// Notes cleaning
}elseif($what == "notes"){


// Login cleaning
}elseif($what == "login"){
$string = substr($string, 0, 30);
}
return $string;
}
?>

I've protected against basically all that I could think of but am I going overboard (I'm a little paranoid after some previous mishaps)...

All comments are welcome. Thanks!

$string = str_replace('#', '#', $string);
$string = str_replace('--', '--', $string);
$string = str_replace('/*', '/*', $string);
$string = str_replace('*/', '*/', $string);
$string = str_replace('"', '"', $string);
$string = str_replace('`', '`', $string);
$string = str_replace("'", ''', $string); // <-- syntax error
$string = str_replace(';', ';', $string);
Every one of those does nothing, or more specifically takes the input and replaces it with the same thing. If you just want to remove those things you can do this:$replace = array('#', '--', '/*', '*/', '"', '`', '\'', ';');
$string = str_replace($replace, '', $string);

Every one of those does nothing, or more specifically takes the input and replaces it with the same thing.

Sorry, that was my bad.. It actually takes it and replaces it with the HTML special character representation (# = '& # 35 ;' minus the spaces). I guess the forum replaced all the HTML character representations with the actual output... that would be why it appears I'm replacing something with itself...

Since I can't edit my earlier post would all future respondants please keep the above in mind when replying, thanks :)

Sorry, that was my bad.. It actually takes it and replaces it with the HTML special character representation (# = '& # 35 ;' minus the spaces). I guess the forum replaced all the HTML character representations with the actual output... that would be why it appears I'm replacing something with itself...

Ah, that makes more sense. Why not use htmlentities() (http://php.net/htmlentities)?
Since I can't edit my earlier post would all future respondants please keep the above in mind when replying, thanks :)
Why can't you edit your post?

Ah, that makes more sense. Why not use htmlentities() (http://php.net/htmlentities)?

I did implement htmlentities() but I've set it up so it only happens when you're cleaning certain types of inputs so that it won't mess up the format of certain fields.

Why can't you edit your post?

Ah nevermind, I don't remember being able to edit my own posts after 5-10 minutes I think it was.... anyway, all's good now.