PHP Blacklist words in String

Question

I have a piece of Javascript code that generates a dynamic XML string. This XML string is then passed to a PHP file where I need to check to make sure the string doesn't contain any bad words that could allow for SQL injection.

I figured I would just create a blacklist and if any word was found, we just don't send the XML to the database.

My snippet of code however isn't returning true when I pass in one or more of the blacklist words.

// Create a blacklist array
$blacklist = Array('create', 'alter', 'update', 'delete', 'drop', 'insert', 'into', 'from', 'where');

// Define our vars
$xml = '<blah>alert table drop something create</blah>';
$actor = $_COOKIE['QID'];
$sp = $_POST['sp'];

// Lets check the XML string to see if it contains any database altering words
function contains($str, array $arr)
{
    foreach($arr as $a) {
        if (stripos($a,$str) !== false) return true;
    }
    return false;
}

// Check our XML string
if(contains($xml, $blacklist))
{
    echo 'Contains';
}
else
{
    echo 'Does not contain';
}

Is there a better way to handle this type of check? I wasn't sure what to search for so figured the blacklist of words would be sufficient.

Answer 1

You have the parameters in the wrong order when calling stripos . Instead of stripos($a,$str) , you want stripos($str,$a) . The first version is search for the entire XML string within an individual "bad" word. The second searches for the word within the XML string.