Hi If I have a large website with lots of form data, I have to use mysql_real_escape_string for each form field. I saw a code somewhere that seems to do all For example if I include connect.php at the first line of all my php files, and put this code in connect.php, will that be enough? What do you think? $db = mysql_connect("localhost", "user", "pass") or die("Could not connect."); if(!$db) die("no db"); if(!mysql_select_db("board",$db)) die("No database selected."); if(!get_magic_quotes_gpc()) { $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } else { $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } PHP:
I wouldn't use get_magic_quotes_gpc, as magic_quotes_gpc is deprecated in php 5 and removed in PHP 6. Simply using mysql_real_escape_string should be sufficient.
I would actually recommend using get_magic_quotes_gpc() because 1: is it not yet disabled and 2: if you deploy the script to a lesser version you will need it. It will not break your code once removed because with the way the PHP team looks out for us, I am sure once disabled the function will always return bool(false), so no one's hurt.
Read the sticky, you'll also have to set the mysql charset first before doing any other queries. Also, I don't like your solution since you're polluting the global $_GET, $_POST arrays. Now the values in them will all be escaped and you'll have to unescape them if you want to output it, etc.. Bothersome. You should just use PDO or do the mysql_real_escape_string at the time of the query. And if you're using form arrays (<input type="checkbox" name="bla[]" />) then your stripslashes will destroy that array.
I was going to say the same, but thought, eh, what the heck. He'll learn when it comes up or it will become a new topic.
Best way to process all the input data before database interaction , do not process directly data which you receive by user use stip slash and magic quotes to hide .