PHP Prevent SQL Injection

[aeroswat]

I found this function a long time ago and I have been using it ever since

 

function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

 

But as i'm looking at it will this actually prevent SQL injection? It doesn't seem like it would unless I have an incomplete understanding of what these functions do.

[dpacmittal]

That would help prevent the sql injection. Why don't you just turn off magic_quotes_gpc form php.ini and make the function even shorter. In this function, you are basically undoing and redoing the same thing. You are first removing the slashes and then using mysql_real_escape_string to add it.

[aeroswat]

That would help prevent the sql injection. Why don't you just turn off magic_quotes_gpc form php.ini and make the function even shorter. In this function, you are basically undoing and redoing the same thing. You are first removing the slashes and then using mysql_real_escape_string to add it.

 

I don't own the server or have access to the php ini file as far as I know. Plus it makes the code portable in case i have to switch hosts.

[dpacmittal]

That would help prevent the sql injection. Why don't you just turn off magic_quotes_gpc form php.ini and make the function even shorter. In this function, you are basically undoing and redoing the same thing. You are first removing the slashes and then using mysql_real_escape_string to add it.

 

I don't own the server or have access to the php ini file as far as I know. Plus it makes the code portable in case i have to switch hosts.

Yes, portability is one reason.