advanced code snippet search

Anti-SQL Injection Function

Published in: PHP 


Website Promotion
DIRECTORY is a crucial factor for all websites that need to gain better organic search engine rankings and increase website traffic.
Submitting your website as part of your Web Promotion strategy to our SEO friendly and high traffic Business Directory for review is an excellent way to gain a valuable backlink and increase your websites visibility online.

Submit Site

Expand | Embed | Plain Text 
  1. function cleanuserinput($dirty){
  2. 	if (get_magic_quotes_gpc()) {
  3. 		$clean = mysql_real_escape_string(stripslashes($dirty));	 
  4. 	}else{
  5. 		$clean = mysql_real_escape_string($dirty);	
  6. 	} 
  7. 	return $clean;
  8. }
  9.  

Report this snippet 

Comments

RSS Icon Subscribe to comments
Posted By: Shocker on January 30, 2008

Please note almost any string values used in mysql queries should be escaped and not all of these values is user input which has escaped characters from magic quotes GPC. (e.g. regular vars from the script)

I'd add an additional optional parameter (bool) which defines, whether the parameter $dirty is coming from a GPC variable or not. :)

Posted By: philipolson on February 27, 2008

Note: mysqlrealescapestring() requires that a valid mysql connection (mysqlconnect()) exists to work... see the PHP manual for details.

Posted By: llbbl on April 2, 2008

"mysqlrealescapestring() requires that a valid mysql connection"

The "mysql_" appended to the function might have been a clue. :)

Posted By: llbbl on April 2, 2008

*append = prefix

Posted By: sarfraznawaz2005 on February 11, 2009

With mysqlrealescape_string alone, you are not 100% secure, consider going for function titled "Prevent SQL Injection".

Posted By: sarfraznawaz2005 on February 11, 2009

With mysqlrealescape_string alone, you are not 100% secure, consider going for function titled "Prevent SQL Injection".

You need to login to post a comment.

Download royalty free graphics