escape all _POST and _Get

[phpmo]

I have a large site and I've done my best to validate all the variables but several weird things have happened to my DB that have me concerned a little about SQL Injection.

 

Is there a way without knowing all the variables on each page in an array that I I can mysql_escape all of the passed variables.

 

I found this but can't tell if it works and I don't know enough about it.

 

I have a header that is loaded on all pages so I just included this in it.

 

foreach($_POST as $key => $value){
if(get_magic_quotes_gpc()){
$value = stripslashes($value);
}
$_POST[$key] = mysql_real_escape_string(trim($value));
}

foreach($_GET as $key => $value){
if(get_magic_quotes_gpc()){
$value = stripslashes($value);
}
$_GET[$key] = mysql_real_escape_string(trim($value));
}

[KevinM1]

It looks like that should work, although I recommend putting your if-statement in one spot for readablity and easier maintenance.  I typically make my own escape function to do that, something like:

<?php

function myEscape($string){
   return (get_magic_quotes_gpc) ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string);
}

foreach($_GET as $key => $value){
   $_GET[$key] = myEscape($value);
}

foreach($_POST as $key => $value){
   $_POST[$key] = myEscape($value);
}

?>

 

Given your concerns about SQL attacks, how are you validating your data beyond escaping it?

[phpmo]

Basically anything that is only a number I do an is_numeric which should cover anything.

 

Strings I usually will do a

 

$var = htmlspecialchars($var);

 

as well as the escape.

 

[phpmo]

I also forgot to mention that I have Magic Quotes turned on.