function works on local not on remote

[arp1445]

hi... I'm using x10's free hosting service...
I wrote a function as below:

PHP Code:

function prevent_url_injection($unsafe) {
        // preventing from sql injection by url get method
        $find_eveil_chars = array("'", "\"", "#", "//", "/*", "*/", "--");
        $safe = str_replace($find_eveil_chars, "", $unsafe);
        return $safe;
} 


I wrote this function for prevent url injection.
This works fine on my local server... But not working on remote server...
The strange thing is: 1)I created a new php file (for test only) and it works fine on remote server. 2) When I try with my existing files - include it, or wrote function as standalone - it did not worked

Can anyone tell me how to fix and whats going on?
Thanks in advance.

[descalzo]

Define "does not work".

[misson]

Never write your own SQL escape function. It's too easy to get something wrong and completely unnecessary. The database extensions provide their own functions to prevent SQL injection. In any case, you shouldn't be escaping data, you should be using prepared statements; prepared statement parameters aren't vulnerable to injection.

For an example of how your function gets something wrong, how does it handle the entirely valid name of "O'Neill"?

[arp1445]

Never write your own SQL escape function. It's too easy to get something wrong and completely unnecessary. The database extensions provide their own functions to prevent SQL injection. In any case, you shouldn't be escaping data, you should be using prepared statements; prepared statement parameters aren't vulnerable to injection.

For an example of how your function gets something wrong, how does it handle the entirely valid name of "O'Neill"?

Hmm.. thats interesting... I'll use prepared statements.
But my function was only to get numeric id from GET method... so it wont even show any errors in spite of bad/evil chars from url...

---------- Post added at 08:28 AM ---------- Previous post was at 08:25 AM ----------

Define "does not work".

Sorry for my bad English :p *edited*

[misson]

When descalzo wrote that he wanted you to define "does not work", it's not because your statement was grammatically incorrect, it's because "does not work" is ambiguous. We can't know how it's not doing what you want. Are you getting an error? Is the function not returning the value you expect for some input? "Does not work" tells us nothing about what's going on. Always state explicitly what you want (or expect) and what you actually get, which includes any error messages.

[arp1445]

ok, sorry - thanks for explanation, I got it!

No error, its like a ghost bug.
function is ok, it passes values correctly - returns values also correctly.
But it should return the cleaned-up value -- its not cleaning up.

Thats where the problem is.
I'm saying is, this function is working fine when I create new php file, for test purpose but not on production mode.
Its very strange.

Thanks.

[descalzo]

How are you passing/getting the strings? Be specific.

Examples? Does it ever work properly?