can this function prevent sql injection and xss?

Question

 function clean( $value ) {

        if(function_exists( "mysql_real_escape_string" ) ) {

            if( get_magic_quotes_gpc() ) { $value = stripslashes( $value ); }
            $value = mysql_real_escape_string( $value );
        } else { 


            if( !get_magic_quotes_gpc() ) { $value = addslashes( $value ); }

        }

    $value = strip_tags($value);
    $value = htmlentities( $value, ENT_QUOTES, 'utf-8' );
    $value = htmlspecialchars( $value , ENT_QUOTES , 'utf-8' );

        return $value;
    }


if(isset($_GET))
{
    foreach($_GET as $k=>$v)
    {
        echo clean($v);
    }
}

when i try

http://localhost/test.php?act=add_credit&rid=975&total=%22%20onmouseover%3dprompt%28929649%29%20bad%3d%

i see

 add_credit975" onmouseover=prompt(929649) bad=% 

it means onmouseover=prompt(929649) gets trough ... as stupid as it sound i dont have direct access to that website ... someone just gave me a webpage and asked me to make it safe .

and using pdo , prepared statements , sqli and ..... are out of question

Answer 1

can this function prevent sql injection and xss ?

No.

Answer 2

No, it's not, and SQL injection != XSS.

You need to escape data to prevent SQL injection before you insert it in the database. I suggest you use PDO and prepared statements instead of *_real_escape_string.

To prevent XSS exploits, escape your data before sending it to the screen as HTML. Usually you do this after you get it from the database. In most cases strip_tags and htmlspecialchars are enough. Examples:

<p> <?= $untrustedData; ?> </p>                      <!-- <- strip tags -->
<a name="<?= $untrustedData; ?>"> trusted data </a>  <!-- <- htmlspecialchars -->