Does anyone know what this function would look like in PHP 7?
function AntiSqlInjection($dados){
if (!get_magic_quotes_gpc){
addslashes($dados);
}
$dados= strip_tags($dados);
$dados= preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables)/"),'', $dados);
return $dados;
}//end
$usuario= AntiSqlInjection($usuario);
$senha= AntiSqlInjection($senha);
sql_regcase has become obsolete a long time, you can try using as Alternatively:
Of course you will have to adapt the code and read the documentation of how to use, not just switch , however if it is MySql and what you are wanting to do is an anti-injection I really recommend that instead of doing all this simply use the ready-made functions of the new APIs that already exist
You are probably using the old API even though the functions are prefixed with mysql_ , if it is difficult to adjust the codes for the most modern apis like PDO or MYSQLi then use simplemenete:
mysql_real_escape (which of course is obsolete too since it is part of the old API since starts with mysql_ ) It should look like this:
$usuario= mysql_real_escape($usuario);
$senha= mysql_real_escape($senha);
However, it is highly recommended that you change your codes as soon as possible to PDO or MYSQLI, since functions with mysql_ prefix no longer work in newer versions of PHP ( php 7 + ) and so sooner or later you will need to migrate to a server with php7 (if your server uses PHP5), I recommend that you read:
If you use the mysqli API a simple example to avoid injection is to use mysqli_real_escape_string , example:
<?php
$link = mysqli_connect("localhost", "usuario", "senha", "banco");
if (mysqli_connect_errno()) {
printf("Conexão falhou: %s\n", mysqli_connect_error());
exit;
}
$usuario = mysqli_real_escape_string($link, $_POST['usuario']);
$senha = mysqli_real_escape_string($link, $_POST['senha']);
if (mysqli_query($link, "SELECT * FROM usuarios WHERE login='$login' AND senha='$senha')")) {
... resto do código aqui
}
mysqli_close($link);
Or you may prefer prepared statments from which you do not need to escape the strings:
<?php
$link = mysqli_connect("localhost", "usuario", "senha", "banco");
/* check connection */
if (mysqli_connect_errno()) {
printf("Conexão falhou: %s\n", mysqli_connect_error());
exit;
}
/* Prepara uma instrução */
if ($stmt = mysqli_prepare($link, "SELECT * FROM usuarios WHERE login=? and senha=?")) {
/* bind parameters for markers */
mysqli_stmt_bind_param($stmt, "s", $usuario);
mysqli_stmt_bind_param($stmt, "s", $senha);
/* executa a query */
mysqli_stmt_execute($stmt);
... resto do código aqui ...
/* fecha o statement */
mysqli_stmt_close($stmt);
}
/* fecha a conexão */
mysqli_close($link);
This is a function that has been deprecated (has become obsolete) for many years but you can generate something generic
function my_Sql_regcase($str){
$res = "";
$chars = str_split($str);
foreach($chars as $char){
if(preg_match("/[A-Za-z]/", $char)){
$res .= "[".mb_strtoupper($char, 'UTF-8').mb_strtolower($char, 'UTF-8')."]";
}else{
$res .= $char;
}
}
return $res;
}
You can use the function as follows
$dados= preg_replace(my_Sql_regcase("/(from|select|insert|delete|where|drop table|show tables)/"),'', $dados);