is my function correct about SQL injection

Question

for some reasons i can't use PDO so i have created a simple function to clean input data, please view and suggest modification to prevent from SQL and XSS. here is function.

function cleanStr($cStr) {
    $cStr = trim($cStr);
    $cStr = htmlspecialchars($cStr);
    $cStr = addslashes($cStr);
    return $cStr; }

i am using PHP: 5.6.3, i don't know mysql_real_espac_string is working with it or not — saleem, Feb 14 '15 at 07:02
What database adapter are you using? Your database adapter will have appropriate escaping functions. Read [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) — deceze, Feb 14 '15 at 07:33

score 1 · Answer 1 · answered Feb 14 '15 at 06:58

1

Try to avoid doing this kind of escaping yourself, as it is not always easy to catch all injection possibilities.

If you are using MySQL and cannot use PDO, see if you can make use of the mysqli_real_escape_string function instead.

answered Feb 14 '15 at 06:58

mhall

3,671
3
23
35

score -1 · Answer 2 · answered Feb 14 '15 at 06:57

-1

You can also add more a function to prevent SQL injection

$cStr = mysql_real_escape_string($cStr);

answered Feb 14 '15 at 06:57

Renderlife

50
4

2

mysql is deprecated. Don't use it. – Gogol Feb 14 '15 at 06:59

is my function correct about SQL injection

2 Answers2