NEVER USE this function to protect against SQL Injection.
It may sound ridiculous but I've seen a couple of developers doing so.
It's interesting that these developers use str_replace (let's ignore the fact that they don't even use the str_ireplace which is case-insensitive) to remove common SQL commands such as "SELECT" or "DROP" from user-entered inputs.
A funny thing to note is that:
<?php
$input = "SELSELECTECT";
echo str_replace("SELECT", null, $input); ?>
Yeah you could loop it, but str_replace was never meant to be used this way. There are proper ways to protect against SQL Injections, such as using prepared statements (placeholders).
