0
function filter($data) {  
$db = mysqli_connect(DB_SERVER, DB_USER, DB_PASS, DB_NAME);  
$data = trim(htmlentities(strip_tags($data)));  
if (get_magic_quotes_gpc())       

$data = stripslashes($data);

$data = mysqli_real_escape_string($db,$data);  
$date=strip_tags($data);  
return $data; 
}

i used this function and 

if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
    foreach ($val as $k => $v) {
        unset($process[$key][$k]);
        if (is_array($v)) {
            $process[$key][stripslashes($k)] = $v;
            $process[] = &$process[$key][stripslashes($k)];
        } else {
            $process[$key][stripslashes($k)] = stripslashes($v);
        }
    }
}
unset($process);   }

and mysqli_real_escape_string and str_replace and strip slashes and many other things but nothing seems to work.I dont know now what to do i cant migrate to PDO as i have wriiten whole code in mysqli any help plz...

filter function is working well on all scripts in all post requests except one textbox on this page

Jens
  • 67,715
  • 15
  • 98
  • 113
Devinder Prasad
  • 63
  • 4
  • 1
    Use parameterized queries. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php Then you don't need to escape.. – chris85 May 06 '16 at 20:11
  • 2
    *i cant migrate to PDO as i have wriiten whole code in mysqli...* well then learn prepared statements for [mysqli](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). [And this is how you can prevent SQL injection in PHP](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Rajdeep Paul May 06 '16 at 20:12
  • can i use this without switching to PDO? – Devinder Prasad May 06 '16 at 20:13
  • *Yes, you can.:-)* – Rajdeep Paul May 06 '16 at 20:16

0 Answers0