Need help preventing SQL injection while keeping execution time down

[Cianz]

Hi, i've just started PHP and recently discovered the security issue that is SQL injection.

 

I've made additions to my script using examples from other coders, but at the cost of execution speed.

 

As a noob i'm asking for advice on my code below -- what can I do to speed up execution and also any mods or additions to the security.

 

Thanks! 

 

function anti_inject($data) {
if (get_magic_quotes_gpc()) {
	$data = stripslashes($data);
}
//if (!is_numeric($data)) { 
//	$data = "'" . mysql_real_escape_string($data) . "'"; 
//} 
$data = mysql_real_escape_string($data);
return $data;
}

function sql_failure_handler($query, $error) {
$msg = htmlspecialchars("Failed Query: {$query}<br>SQL Error: {$error}");
error_log($msg, 3, "sql_error_log");
if (defined('debug')) {
	return $msg;
}
return "Requested page is temporarily unavailable, please try again later.";
}

 

ob_start();
include ("includes/db.conf.php");
include ("includes/connect.inc.php");

$ref = parse_url($_SERVER['HTTP_REFERER']);
$retref = anti_inject($ref['host']);
$procref = str_replace("www.", "",$retref);

$query = "SELECT * FROM trades WHERE domain='$procref'";
$queryref = mysql_query($query) or die(sql_failure_handler($query, mysql_error()));
$qnum = mysql_num_rows($queryref);

$retip = anti_inject($_SERVER['REMOTE_ADDR']);

$query = "SELECT * FROM ips WHERE ips='$retip'";
$queryip = mysql_query($query) or die(sql_failure_handler($query, mysql_error()));
$qip = mysql_num_rows($queryip);

if (($qnum > 0)and($qip == 0)) {
$query = "UPDATE trades SET intoday=intoday+1, intotal=intotal+1 WHERE domain='$procref'";
mysql_query($query) or die(sql_failure_handler($query, mysql_error()));
$query = "INSERT INTO ips SET ips='$retip'";
mysql_query($query) or die(sql_failure_handler($query, mysql_error()));
}

 

 

[MiCR0]

I posted what I use here http://www.phpfreaks.com/forums/index.php/topic,200761.0.html