This is my code
i want to ask is this safe frome sql injection ??
PHP Code:
function clean($data) {
if ( !isset($data) or empty($data) ) return '';
if ( is_numeric($data) ) return $data;
$non_displayables = array(
'/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15
'/%1[0-9a-f]/', // url encoded 16-31
'/[\x00-\x08]/', // 00-08
'/\x0b/', // 11
'/\x0c/', // 12
'/[\x0e-\x1f]/' // 14-31
);
foreach ( $non_displayables as $regex )
$data = preg_replace( $regex, '', $data );
$data = str_replace("'", "''", $data );
return $data;
}
PHP Code:
$username = clean($_POST['username']);
$password = clean($_POST['password']);
$password2 = clean($_POST['password2']);
$delpass = clean($_POST['delpassword']);
$delpass2 = clean($_POST['delpassword2']);
$email = clean($_POST['email']);
PHP Code:
// Query
$register = $db->prepare("EXEC ACCOUNT_DBF.dbo.usp_CreateNewAccount :user, :pass, :delpass, :email");
$register->BindParam(':user',$username);
$register->BindParam(':pass',md5($sv_md5hash.($password2)));
$register->BindParam(':delpass',$delpass2);
$register->BindParam(':email',$email);
$register->execute();
i want to ask is this safe frome sql injection ??