PHP MySQL Injection Protection

Question

Possible Duplicate:
Best way to prevent SQL injection in PHP?

I have the following function I call when using variables passed from another page. My question is, can I add urlencode information to this and have a single function I use, or is it best to have separate functions for variables I pass information through the address bar vs. a hidden form field?

I am not using PDO, and I typecast when possible.

function checkInput($value) {
// Stripslashes
if (get_magic_quotes_gpc())

// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}

// Quote if not a number
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}

Thank you for your assistance!

This has been asked before: http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php hope this helps :) — Michael Ryan, Oct 10 '12 at 01:18

score 1 · Answer 1 · answered Oct 10 '12 at 01:21

1

Mysqli also supports prepared statements. If mysqli isn't available, there's always systems like PEAR DB that offers prepared statements as well.

answered Oct 10 '12 at 01:21

Simon Germain

6,834
1
27
42

Yup, there's no reason not to use prepared statements. The classic `mysql_*` functions should be considered deprecated. They're old tech that have far better modern counterparts. – Major Productions Oct 10 '12 at 01:25
1

Sometimes, people don't have a choice of which technology stack they work on. Mysqli might not be enabled either, in which case, the only option is mysql_*. :) – Simon Germain Oct 10 '12 at 01:29

PHP MySQL Injection Protection

1 Answers1