Quote Originally Posted by CapitalWebHost
So you're saying I should put all incoming vars through this:

Code:
function strip_magic_quotes($arr) 
{ 
    foreach ($arr as $k => $v) 
    { 
        if (is_array($v)) 
            { $arr[$k] = strip_magic_quotes($v); } 
        else 
            { $arr[$k] = stripslashes($v); } 
    } 

    return $arr; 
} 

if (get_magic_quotes_gpc()) 
{ 
    if (!empty($_GET))    { $_GET    = strip_magic_quotes($_GET);    } 
    if (!empty($_POST))   { $_POST   = strip_magic_quotes($_POST);   } 
    if (!empty($_COOKIE)) { $_COOKIE = strip_magic_quotes($_COOKIE); } 
}
and then addslash any that are being used to build a query?

Hmm..makes sense...extra work..lol..but makes sense.
not that much extra work

just include this recursive function at the top of all your pages dealing with gpc and you're done.

Also, do not just use mysql_real_escape_string() but also check the expected lengths data type of your variables. See the functions I posted a few posts above as they might save you some time.