I have a piece of Javascript code that generates a dynamic XML string. This XML string is then passed to a PHP file where I need to check to make sure the string doesn't contain any bad words that could allow for SQL injection.
I figured I would just create a blacklist and if any word was found, we just don't send the XML to the database.
My snippet of code however isn't returning true when I pass in one or more of the blacklist words.
// Create a blacklist array
$blacklist = Array('create', 'alter', 'update', 'delete', 'drop', 'insert', 'into', 'from', 'where');
// Define our vars
$xml = '<blah>alert table drop something create</blah>';
$actor = $_COOKIE['QID'];
$sp = $_POST['sp'];
// Lets check the XML string to see if it contains any database altering words
function contains($str, array $arr)
{
foreach($arr as $a) {
if (stripos($a,$str) !== false) return true;
}
return false;
}
// Check our XML string
if(contains($xml, $blacklist))
{
echo 'Contains';
}
else
{
echo 'Does not contain';
}
Is there a better way to handle this type of check? I wasn't sure what to search for so figured the blacklist of words would be sufficient.
