Sanitize data to prevent SQL Injection Attacks


/ Published in: PHP
Save to your folder(s)

This is a simple function that sanitizes the data before sending it to MySQL. First it removes whitespaces from the beginning and ending of the string. If magic_quotes_gpc is enabled and the data has been already escaped we will apply stripslashes() to the data. This way the data won’t be escaped twice when mysql_real_escape_string() is called.

Example:
$username = sanitize($_POST['username']);
$password = sanitize($_POST['password']);


Copy this code and paste it in your HTML
  1. 1. function sanitize($data)
  2. 2. {
  3. 3. // remove whitespaces (not a must though)
  4. 4. $data = trim($data);
  5. 5.
  6. 6. // apply stripslashes if magic_quotes_gpc is enabled
  7. 8. {
  8. 9. $data = stripslashes($data);
  9. 10. }
  10. 11.
  11. 12. // a mySQL connection is required before using this function
  12. 13. $data = mysql_real_escape_string($data);
  13. 14.
  14. 15. return $data;
  15. 16. }

Report this snippet


Comments

RSS Icon Subscribe to comments

You need to login to post a comment.