Avoiding sql injection in php

I have a text based mafia website and it is open to sql injections.

If someone types the following in a text field:

',money='1000000

Code (markup):

it will set ther money to £1,000,000

What do i put on the php code to prvent this from being used?

or do i have to change something in PHPMyAdmin

and is there a way to do it so i do not have to edit every single page? like i have a functions page that is included on every page, is there something i can do on this one page to save me the time of doing it on every page?

Please help beause this is causing many problems, i have had to cose my website.

Thanks

 

addslashes($_POST['fieldname']);

 

Use:
real_escape_string - to escaping special characters in a query string, more info here: http://us2.php.net/manual/en/mysqli.real-escape-string.php
mysqli_prepare - to prepare a SQL statement for execution, http://us2.php.net/manual/en/mysqli.prepare.php

 

As martinoes has said, don't just use addslashes(). That does not work for advanced attacks. Use mysqli_real_escape_string(). Better yet would be for you to start using something like the PDO extension (which requires PHP5.1).

 

Why not validating your input? when only requireing numbers you won't allow other symbols etc.

is_numeric
is_float
is_double

and strings you always need to use addslashes/mysql_real(_escape)_string

Newer version

 

No need to use a function^, just put (int) before it.

$var = (int) $_POST['value'];

Code (markup):

 

check this code:http://corpocrat.com/2009/07/28/filtering-escaping-post-data-from-injection-attacks/

 

Really simple and useful piece of code there. thanks bro.

nb