I'm learning PHP and would like to ask which of these two different approaches is better in terms of SQL server security? Let's say it will be used for a login form.
Function #1
function SanitizeInput($in, $len = 20)
{
return substr(preg_replace("/[^a-zA-Z0-9_]/", "", htmlspecialchars(htmlentities(strip_tags($in)))), 0, $len);
}
Usage:
$username = $thisDB->SanitizeInput($_POST['username']);
Function #2&3
function security($text) {
$text = trim($text);
$search = array('', '', '', '', '', '', '', '', '', '', '', '', ',');
$replace = array('C', 'c', 'G', 'g', 'i', 'I', 'O', 'o', 'S', 's', 'U', 'u');
$new_text = str_replace($search, $replace, $text);
return $new_text;
}
function SQLSecurity($text) {
$text = trim(htmlspecialchars($text));
$search = array("'", '"', "TRUNCATE", "truncate", "UPDATE", "update", "SELECT", "select", "DROP", "drop", "DELETE", "delete", "WHERE", "where", "EXEC", "exec", "INSERT INTO", "insert into", "PROCEDURE", "procedure", "--");
$replace = array("", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "");
$new_text = str_replace($search, $replace, $text);
return $new_text;
}
Usage:
$username = $thisDB->SQLSecurity($thisDB->security($_POST['username']));