php mysql function building issue.

[monkeytooth]

Alright I have built a series of functions for a class I am building which all surprisingly work for the most part, some thanks to the help of everyone here.

 

But I am stuck yet again. My issue is

 

In any given php file I call my functions out like

$findSchool = countTableRows("var-user-cred", "TABLE_NAME", "WHERE School='".mysql_real_escape_string($myschoolChek)."' LIMIT 1");

 

The functions are all built similar to this according to its need:

function countTableRows($dbPIN, $tableName, $appndQ){
$run_conX = ax2crdb($dbPIN); //ax2crdb is a function to connect to the DB.
$totalcount_query   = "SELECT COUNT(*) AS totalcount_rows FROM ".$tableName." ".$appndQ."";
$totalcount_result  = mysql_query($totalcount_query) or die('Error #SQL0003: Query Failed.');
$totalcount_row     = mysql_fetch_array($totalcount_result, MYSQL_ASSOC);
$totalcount = $totalcount_row['totalcount_rows'];
return $totalcount;
}

 

my current issue is with mysql_real_escape_string I didn't realize I had to be already connected to the DB in a manor of speaking in order for that particular function to work, I thought it was a php function to work with mysql to strip my inputs of bad entities. Well in this case, quotes and what not, but yea. If you notice how I call out my functions for use you will most likely understand that the $appndQ could in a realistic way be just about anything. And if you will notice when I call the function the function will connect after its called not before. So using mysql_real_escape_string the way I am with no active connection at the moment kicks back an error. What I guess I am trying to figure out is Im going to need to build my own scrubbing filter but where should I start, and seeing as I am generally going for more than just injection blocking what should I filter out? has anyone ever built a filter to swap " with \" and remove <script .....> tags? is there already one somewhere I can just swipe and modify to my liking (yes I know thats not in the ethics here but im pressed for time so any shortcuts can help me greatly right now)?

 

 

 

[monkeytooth]

function cleaner4inputs($theInput){$theOutput = stripslashes($theInput);$theOutput = htmlspecialchars($theOutput, ENT_QUOTES); return $theOutput;/*$theOutput = htmlentities($theOutput);*/}

 

I use this on one of my other sites for some of the form inputs, anyone think thats enough? or should I be more in-depth about it? Go really deep striping and removing stuff? This site I am currently working on is expected to have several million users with a couple years time, its already got something like 20,000 lined up ready to sign up upon launch. Last thing I want is the site breaking within days of launch do to something that could have been prevented

[monkeytooth]

Would it be smart to build a function that does a connection to the DB runs the escape string query and then output the result back or is that just redundant, and a means of complication in the long run on server load.