Stripping tags from the input does not prevent SQL injection, however it does corrupt potentially valid input by removing tags that you might have wanted.

The solution in every case is to use the appropriate escaping function, at the time that you do the query.

Parameterised queries are even better.

There is no magic bullet, you can't iterate $_POST or anything, because you won't know at that point what is going to be done with stuff.

This is what magic_quotes_gpc does, and it incorrectly escapes things that don't need escaping, resulting in massive annoying data corruption.

Mark

Try escaping potentially unwanted SQL commands:

function escape_sql_commands($string)
{
return eregi_replace("ALTER|DROP|DELETE|REPLACE","",$string);
}

The problem SQL Injection Attacks
The solution mysql real escape string

Use the solution on ALL query input no matter where it comes from, not just user form input but also cookies and url params as these are very easy to manipulate.

As MarkR said, using a function like [man]springf/man and working with the data at the time of the query is the most ideal solution, because you know what the data should look like and can therefore take special steps to clean it up.

For example, if you're expecting a numeric amount for a field, use something like [man]intval/man. Or, if you don't want HTML used, use something like [man]strip_tags/man, etc. etc.

mysql_real_escape_string() should be used instead of mysql_escape_string() because it takes in consideration the locale used for the connection...

Escaping "potentially unwanted SQL commands" is pretty useless because it will corrupt your data, and won't prevent injections.

It will however, stop legitimate English text from going through correctly.

Mark