For everyone who still relies on addslashes and to those who dont validate data: These functions protects against xss and sql injections: To call it is simple, use as you would addslashes() like this: $var = vdata($_GET['var']); PHP: function clean($value) { // I clean the string up when my function is called. $search = array('javascript:', 'document.location', 'vbscript:', '<marquee', '<script', '?php'); $value = str_replace($search, '_', $value); $value = mysql_real_escape_string(strip_tags(trim($value))); return $value; } function vdata($value) { if (get_magic_quotes_gpc()) { //if the dope has magic quotes on, strip them $value = stripslashes($value); } if (!is_numeric($value) || $value[0] == '0') { // now do the cleaning $value = clean($value); } return $value; } PHP: This is not a complete security solution, but a great start!
^^ I was going to point that out too. Plus, I'd rather use htmlspecialchars(), instead of strip_tags(), 'cause strip_tags() removes anything that LOOKS like an HTML tag. Even things such as <>.