escaping input - on any server

[AndyB]

I have a simple script that acquires user input and posts to a MySQL database.  Since the script is offered as a free download, I can't exert any control over the configuration of the target server, nor over which versions of php and MySQL might be installed. register_globals could be on or off; magic(!) quotes could be on or off, version 4 php could be used, etc.

 

Would someone care to suggest a bomb-proof function/snippet for dealing with user-entered single and double quotes and slashes, so that properly 'escaped' data can be passed to the database, regardless of the host server configuration and php/MySQL versions?

[AndyB]

Found this, while trolling ...

 

function clean($value) {
if (get_magic_quotes_gpc()) {
	$value = stripslashes($value);
}
if (!is_numeric($value)) {
	$value = mysql_real_escape_string($value);
}
return $value;
}

array_walk($_POST,'clean');
extract($_POST,EXTR_PREFIX_ALL,'post');

 

Any comments, suggestions, cautions, improvements???

[Barand]

I use

 

<?php

        function clean($data)
        {
            $res = get_magic_quotes_gpc() ? stripslashes($data) : $data;   
            $res = strip_tags($res);
            $res = mysql_real_escape_string($res);
            return $res;
        }

        foreach ($_POST as $k=>$v)
        {
            ${$k} = clean($v);
        }
?>

[Lumio]

And I use

<?php
if (get_magic_quotes_gpc()) {
	$_POST = array_map('stripslashesinarray', $_POST);
	$_GET = array_map('stripslashesinarray', $_GET);
	$_COOKIE = array_map('stripslashesinarray', $_COOKIE);
	$_REQUEST = array_map('stripslashesinarray', $_REQUEST);
}

function stripslashesinarray($value) {
	return (is_array($value) ? array_map('stripslashesinarray', $value):stripslashes($value));
}
?>