Sanitizing user data for database usage
Date: 06/09/06
(PHP Community) Keywords: mysql, sql
I know it's an age-old question, but I just wanted your opinions on it: How should I be santizing my data before using it in my MySQL queries so as to prevent against nasties like SQL injection attacks?
At the moment I'm using the function below - is this sufficient?
Thanks in advance. :)
/*
safeVar Function
Rids variables of nasty characters
$var = safeVar ($var);
*/
function safeVar ($value) {
// stripslashes
if (get_magic_quotes_gpc ()) {
$value = stripslashes ($value);
}
// Quote if not integer
if (!is_numeric ($value)) {
$value = "'" . mysql_real_escape_string ($value) . "'";
}
return $value;
}
Source: http://community.livejournal.com/php/458935.html