is this code ok?

hello,

I am trying to secure my database. is the way i did ok or is there a better way to do?

Thanks

$description = addslashes($description);
$description = htmlspecialchars($description);  
$description = stripslashes($description); 
$description = mysql_real_escape_string($description);

PHP:

 

You're adding slashes, then taking them away again? Why? But yes, remove the addslashes line and that should be good enough for raw SQL hacks. It's better to sanitize individual data though according to what it should be. (i.e. for numbers, remove anything that isn't a number, possibly through intval - etc.)

Dan

 

How is this one?

function prepare_for_mysql($value){
	return htmlspecialchars(magicSlashes(trim($value)));
}


function mysql_prep($value){ 
    $magic_quotes_active = get_magic_quotes_gpc(); 
    $new_enough_php = function_exists("mysql_real_escape_string"); 
    // i.e PHP >= v4.3.0 
    if($new_enough_php){ 
    //undo any magic quote effects so mysql_real_escape_string can do the work 
    if($magic_quotes_active){ 
        $value = stripslashes($value); 
    } 
    $value = mysql_real_escape_string($value); 
    }else{ // before PHP v4.3.0 
        // if magic quotes aren't already on this add slashes manually 
        if(!$magic_quotes_active){ 
            $value = addslashes($value); 
        } //if magic quotes are avtive, then the slashes already exist 
    } 
    return $value; 
} 

PHP: