Hello all, I'm attempting to secure a script to prevent against SQL Injections. But for some reason the code I'm using is not correctly escaping malicious characters.
Here's a section of the code I'm using (the beginning) that first pulls the data from the database:
include 'include/dbconnect.php';
include 'include/funcs.php';
if (isset($_GET['gid'])) {
$galleryid = cleanvar($_GET['gid']);
$sql = "select * from galleries where id = $galleryid";
$result = mysql_query($sql) or die(mysql_error());
if ($row = mysql_fetch_assoc($result)) {
$galleryid = $row['id'];
$gallerytitle = $row['title'];
the cleanvar function is located in funcs.php, and this is what it looks like:
function cleanvar ($var) {
return stripslashes(mysql_real_escape_string($var));
}
magic_quotes_gpc is on, so that is why I added stripslashes, but for some reason whenever I go to the script and attempt to inject into it with a single or double quote, I still get a syntax error, enabling me to successfully inject.
Any ideas?
Thanks in advance!