hello, I am trying to secure my database. is the way i did ok or is there a better way to do? Thanks $description = addslashes($description); $description = htmlspecialchars($description); $description = stripslashes($description); $description = mysql_real_escape_string($description); PHP:
You're adding slashes, then taking them away again? Why? But yes, remove the addslashes line and that should be good enough for raw SQL hacks. It's better to sanitize individual data though according to what it should be. (i.e. for numbers, remove anything that isn't a number, possibly through intval - etc.) Dan
How is this one? function prepare_for_mysql($value){ return htmlspecialchars(magicSlashes(trim($value))); } function mysql_prep($value){ $magic_quotes_active = get_magic_quotes_gpc(); $new_enough_php = function_exists("mysql_real_escape_string"); // i.e PHP >= v4.3.0 if($new_enough_php){ //undo any magic quote effects so mysql_real_escape_string can do the work if($magic_quotes_active){ $value = stripslashes($value); } $value = mysql_real_escape_string($value); }else{ // before PHP v4.3.0 // if magic quotes aren't already on this add slashes manually if(!$magic_quotes_active){ $value = addslashes($value); } //if magic quotes are avtive, then the slashes already exist } return $value; } PHP: