Sanitizing user data for database usage

    Date: 06/09/06 (PHP Community)    Keywords: mysql, sql

    I know it's an age-old question, but I just wanted your opinions on it: How should I be santizing my data before using it in my MySQL queries so as to prevent against nasties like SQL injection attacks?

    At the moment I'm using the function below - is this sufficient?

    Thanks in advance. :)


    /*
    safeVar Function
    Rids variables of nasty characters


    $var = safeVar ($var);

    */
    function safeVar ($value) {
    // stripslashes
    if (get_magic_quotes_gpc ()) {
    $value = stripslashes ($value);
    }

    // Quote if not integer
    if (!is_numeric ($value)) {
    $value = "'" . mysql_real_escape_string ($value) . "'";
    }

    return $value;
    }

    Source: http://community.livejournal.com/php/458935.html

« Matching a variable against... || Finding item in an array »


antivirus | apache | asp | blogging | browser | bugtracking | cms | crm | css | database | ebay | ecommerce | google | hosting | html | java | jsp | linux | microsoft | mysql | offshore | offshoring | oscommerce | php | postgresql | programming | rss | security | seo | shopping | software | spam | spyware | sql | technology | templates | tracker | virus | web | xml | yahoo | home