I have a question about how to make a string safe to run in a query, generally.
I have a secure_input function, which drags all the $_POST and $_GET through a few PHP functions to make it safe, and it seems that re-formatting works, but I still get an error with singlequotes, even though they are properly escaped with backslash from mysqli_real_escape_string().
Here's how it runs:
// function which drives on every post and get
function secureinput($link, $value) {
$value = htmlentities(stripslashes($value));
$value = str_ireplace("script", "blocked", $value);
$value = mysqli_real_escape_string($link, $value);
return $value;
}
// then I got another function which performs all of the mysqli requests and it starts with converting all the post and get data
if(isset($_POST)) {
foreach($_POST as $post) {
$post = secureinput($link, $post);
echo "post converted<pre>" . $post . "</pre><br />";
}
}
if(isset($_GET)) {
foreach($_GET as $get) {
$get = secureinput($link, $get);
echo "get converted<pre>" . $get . "</pre><br />";
}
}
The output looks pretty fit for query, but the query is still broken:
"Some text that doesn\'t work"
How can it still fail?
I have a ckeditor implemented for some textareas, and it sends an alternative for singlequotes, which works perfectly in a query, ckeditor replaces them with S#39; (& instead of S).
Is there a function in PHP which can do the same, instead of backslashes? It would also be pretty good to have singlequotes formatted in the same way.
