Hello, Is the following the best way to prevent SQL injection? $site_URL = mysql_real_escape_string(stripslashes($URL)); $query = mysql_query("INSERT INTO table site VALUES '$site_URL'"); I want to store URLs which may have special chars such as %,&,*,/,\,...(I don't know if backslashes (\) are allowed in URLs but is it impossible to use them in legitimate URLs?). My question is how would the two functions stripslashes() and mysql_real_escape_string() affect my input URL ($URL) that contain some "special" characters?
One solution is to disable magic_quotes_gpc in the php.ini file. If you want to write code that will work everywhere, you have to do something like this: if (get_magic_quotes_gpc()) { $URL = stripslashes ($URL); } $site_URL = mysql_real_escape_string($URL); $query = mysql_query("INSERT INTO table site VALUES '$site_URL'"); PHP: Kind of a pain, but the PHP designers made some early mistakes and you have to learn to work around them.