Reply to mysql_real_escape_string();

Your name:

Reply:


Posted by JM Ivler on 02/12/07 04:11

Is there really any time when I don't want to run every _POST and _GET
through mysql_real_escape_string() before I use that data in accessing
the database?

In other words, is there a good reason why I shouldn't have a function
that walks through the POST[] and GET[] arrays and processes the
mysql_real_escape_string() function against the data in order to ensure
that there will be no attempts to do an SQL inject?

My thinking is that this function could be run at the top of my page
init and in doing so it will ensure that there can be no sql injection.
Am I missing something "very bad" that this could do instead?


function cleanall()
{
foreach($_POST as $key => $val)
{
$_POST[$key] = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
$$key = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
}
foreach($_GET as $key => $val)
{
$_GET[$key] = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
$$key = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
}
}

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация