[SOLVED] Is there an easy way to prevent SQL injection?

[3motions]

Do you guys know of any easy ways to prevent SQL injections in my PHP forms? Such as stripping out certain characters, etc? The reason I say easy is because I've already nearly completed programming my website without once thinking of preventing SQL injections, and I don't want to have to reprogram a lot of my codes to implement it. Thanks!

[peranha]

do you have a function that cleans data already as far as other things.

 

if so just add

 

mysql_real_escape_string() to the function.

[3motions]

Nope, I don't have any functions or anything. Am I able to add that to maybe $_POST calles, such as, "mysql_real_escape_string($_POST['username'])" or something? That way I can just add it to where the post is called in the script?

[peranha]

yeah you can

[3motions]

Sweet, and this will definitely keep people from sending SQL injections through forms on my site? If so, then that's amazingly simple. Thanks a ton!

[jamesbrauman]

Be warned though, if magic_quotes are on and you use mysql_real_escape_string(), it can stuff things up. Instead of using mysql_real_escape_string(), pass the things you wish to clean through this function instead:

 

function clean_string( $value ) {
	if ( get_magic_quotes_gpc() )
		$value = stripslashes( $value );
	return mysql_real_escape_string( $value );
}