SQL Sanitize

Page 1 of 1

1 Replies - 1207 Views - Last Post: 15 January 2015 - 07:10 PM

#1 sandman85048  Icon User is offline

  • New D.I.C Head
  • member icon

Reputation: 0
  • View blog
  • Posts: 34
  • Joined: 20-October 07

SQL Sanitize

Posted 10 November 2007 - 11:47 AM

Description: "Sanitize" a string of SQL code to prevent SQL injection.
*/

/*
Function:              sql_sanitize( $sCode )
Description:          "Sanitize" a string of SQL code to prevent SQL injection.
Parameters:         $sCode
                                The SQL code which you wish to sanitize.
Example:             mysql_query('UPDATE table SET value="' . sql_sanitize("' SET id='4'") . '" WHERE id="1"');
Requirements:      PHP version 4 or greater
*/
function sql_sanitize( $sCode ) {
	if ( function_exists( "mysql_real_escape_string" ) ) { // If PHP version > 4.3.0
		$sCode = mysql_real_escape_string( $sCode ); // Escape the MySQL string.
	} else { // If PHP version < 4.3.0
		$sCode = addslashes( $sCode ); // Precede sensitive characters with a slash 
	}
	return $sCode; // Return the sanitized code
}

?>


Is This A Good Question/Topic? 0
  • +

Replies To: SQL Sanitize

#2 macosxnerd101  Icon User is online

  • Games, Graphs, and Auctions
  • member icon




Reputation: 12189
  • View blog
  • Posts: 45,251
  • Joined: 27-December 08

Re: SQL Sanitize

Posted 15 January 2015 - 07:10 PM

For those viewing this snippet, the mysql_*() family of functions have since been deprecated. You should be using PDO and MySQLi with their prepared statements functionality, which (if used correctly) eliminates the need to sanitize inputs.
Was This Post Helpful? 1
  • +
  • -

Page 1 of 1