OK .. I have replaced the recursive function with the following and this does exactly the same as the original one but just uses a different way of checking if it needs to repeat.
function recursive_str_ireplace($replacethis,$withthis,$int his)
{
$old_inthis = "";
while ($old_inthis != $inthis)
{
$old_inthis = $inthis;
$inthis = str_ireplace($replacethis,$withthis,$inthis);
}
return $inthis;
}
I have to say though, I can see a lot of problems with this "solution" of just stripping out mysql commands ... for example if any (legitimate) words/variables within the mysql contain the letters "or" or "and" - then the "or" and "and" bits (and anything else that it filters out) ..
So for example, when I had finished playing a game, if I enter a comment next to my high scores.. this is what I get..
I type "Finally I get a good score!" ... it will show "Finally I get a good sce!" (the "or" removed)
If i typed something like "I think I upset the dealer in this game" then "upset" would be just "up" so whilst it more than likely removes the chance of some dodgy mysql going in - it is not quite the best. I'm not sure if it would be enough to just put a space after each of the words in the ibp_cleansql as probably other characters can be used..
I'm not sure why you are getting a white screen (or if you got any further) but at least this fuction below gets around using that stristr function ... but I think it would be best if a slightly improved solution is made really because otherwise potentially other legitimate mysql statements might get messed up by using this most recent correction..
|