str_ireplace()
is generally a bad choice, because it doesn't work recursive. Try the following:
$safe_input = 'DELDELETEETE * FROM users';
Will result in:
DELETE * FROM users
So, your entire function falls back to mysql_real_escape_string()
and everything that came before is useless. The point is: It's not impossible to write proper filtering methods, but it can be a real challenge to cover every single case there is.
You want to either follow a whitelisting approach and allow only certain types of content. This is tough to implement in the real world.
Or a blacklisting approach and deny certain characters. Most SQL injection vulnerabilites happen because one can inject additional commands in a string. If you escape the '
(or use mysql_real_escape_string(), you are usually safe). However, it depends on your web app if additional filtering is required or not.
Or use prepared statements.