دو تابع زیر میتونه شما رو از شر sql injection راحت کنه
public function encode_safe_sql($str){
$pattern=array("#","\\","'",'"',"<",">"," or "," and ","&"," Delete "," Update "," Insert "," Replace ");
$replace=array("^35^","^92^","^39^","^34^","^60^", "^62^","^111114^","^97110100^","^amp;^",
"^100101108101116101^","^11711210097116101^","^105 110115101114116^","^1141011121089799101^");
$str=str_ireplace($pattern, $replace, $str);
return $str;
}
public function decode_safe_sql($str){
$find=array("^35^","^92^","^39^","^34^","^60^","^6 2^","^111114^","^97110100^","^amp;^",
"^100101108101116101^","^11711210097116101^","^105 110115101114116^","^1141011121089799101^");
$replace=array("#","\\","'",'"',"<",">"," or "," and ","&"," Delete "," Update "," Insert "," Replace ");
$str=str_replace($find,$replace,$str);
return $str;
}