[RESOLVED] make SQL query "safe"

centenial

Hi,

Does anyone know of a good function that makes an sql query "safe" to put inside the mysq_query() function? I tried the mysql_real_escape_string() function, but that saves a backslash in front of every quote I have in the database. Which is annoying.

Anyone have some advice?

NogDog

Sounds like you have magic_quotes_gpc enabled on your host.

function sanitize($value)
{
   if(!is_numeric($value))
   {
      if(get_magic_quotes_gpc())
      {
         $value = stripslashes($value);
      }
      $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return($value);
}
$query = sprintf(
   "INSERT INTO table1 (col1, col2, col3) VALUES (%s, %s, %s)",
   sanitize($_POST['value1']),
   sanitize($_POST['value2']),
   sanitize($_POST['value3'])
);

bradgrafelman

In addition to making your code more versatile by checking for magic_quotes_gpc, you should also look into disabling magic_quotes_gpc altogether (e.g. in a .htacces file if you don't have access to the PHP config file).

centenial

Thanks!

bradgrafelman

Don't forget to mark this thread resolved (if it is).