every piece of user input (ex. login) will have to go through the below two functions in my project.
how good these functions are against an sql injection?
<?php
function filter($str){
$str=strip_tags($str);
$str=mysql_real_escape_string($str);
return $str;
}
mysql_real_escape_string will only prevent sql injection in case of string values (that is, variables you put between quotes in your query). In a case like this, it won’t help:
// user input: $_POST['id'] = '2 OR 1 = 1'
$id = mysql_real_escape_string($_POST['id']);
$query = '
SELECT *
FROM tablename
WHERE id = $id
';
If you echo the value of $query, it’ll be
SELECT *
FROM tablename
WHERE id = 2 OR 1 = 1
So you’ll have to distinguish between alphanumeric and numeric values, and sanitize accordingly.
Seems a bit over the top and missing the point. What if really want the word “update” or “select” in my text? They are not really uncommon words, but your function would stop me from using them. I’d do away with that function.