Best way to prevent sql injection?

**duuudie** · Mar 9, 2005 06:44

Originally Posted by CapitalWebHost

So you're saying I should put all incoming vars through this:

Code:

function strip_magic_quotes($arr) 
{ 
    foreach ($arr as $k => $v) 
    { 
        if (is_array($v)) 
            { $arr[$k] = strip_magic_quotes($v); } 
        else 
            { $arr[$k] = stripslashes($v); } 
    } 

    return $arr; 
} 

if (get_magic_quotes_gpc()) 
{ 
    if (!empty($_GET))    { $_GET    = strip_magic_quotes($_GET);    } 
    if (!empty($_POST))   { $_POST   = strip_magic_quotes($_POST);   } 
    if (!empty($_COOKIE)) { $_COOKIE = strip_magic_quotes($_COOKIE); } 
}

and then addslash any that are being used to build a query?

Hmm..makes sense...extra work..lol..but makes sense.

not that much extra work

just include this recursive function at the top of all your pages dealing with gpc and you're done.

Also, do not just use mysql_real_escape_string() but also check the expected lengths data type of your variables. See the functions I posted a few posts above as they might save you some time.

User Tag List

Thread: Best way to prevent sql injection?

Thread Tools

Display

Threaded View

Bookmarks

Bookmarks

Posting Permissions