Posted by JM Ivler on 02/12/07 04:11
Is there really any time when I don't want to run every _POST and _GET
through mysql_real_escape_string() before I use that data in accessing
the database?
In other words, is there a good reason why I shouldn't have a function
that walks through the POST[] and GET[] arrays and processes the
mysql_real_escape_string() function against the data in order to ensure
that there will be no attempts to do an SQL inject?
My thinking is that this function could be run at the top of my page
init and in doing so it will ensure that there can be no sql injection.
Am I missing something "very bad" that this could do instead?
function cleanall()
{
foreach($_POST as $key => $val)
{
$_POST[$key] = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
$$key = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
}
foreach($_GET as $key => $val)
{
$_GET[$key] = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
$$key = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
}
}
[Back to original message]
|