من يك تابع براي اين كار نوشتم
function sqlin($s)
{
$s=strtolower($s);
$s=str_replace("'","",$s);
$s=str_replace("--","",$s);
$s=str_replace("+and+","",$s);
$s=str_replace("order+by","",$s);
$s=str_replace("order by","",$s);
$s=str_replace("union","",$s);
$s=str_replace("union select","",$s);
$s=str_replace("union+select","",$s);
$s=str_replace("concat","",$s);
$s=str_replace("user()","",$s);
$s=str_replace("database()","",$s);
$s=str_replace("version()","",$s);
$s=str_replace("convert(","",$s);
$s=str_replace("base64_decode","",$s);
$s=str_replace("char(","",$s);
$s=str_replace("alter table","",$s);
$s=str_replace("alter+table","",$s);
$s=str_replace("drop table","",$s);
$s=str_replace("drop+table","",$s);
$s=str_replace("drop","",$s);
$s=str_replace("0x","",$s);
$s=str_replace("\\","",$s);
$s=str_replace("\'","",$s);
$s=strip_tags($s);
$s=mysql_escape_string($s);
return $s;
}