I'm working on an old system that has multiple SQL injection risks. In order to prevent this problem all together I want to escape all $_POST and $_GET data. The problem is that the script itself also escapes. Now I'm wondering if it's possible to detect if a string has already been escaped.
Any other solutions are also welcome.
Thanks!
Too bad, you will get no protection anyway.
Because, despite of the wide misbelief of the php folks,
In fact, you are about to implement a home-brewed equivalent of the notorious magic_quotes feature which proved to be non efficient to protect from injections.
So, you'll end up with some of your data double escaped and other data still unsafe despite of escaping (because escaping != safety)
Unfortunately, such a "magic wand"-style solutions NEVER work.
You have to refactor your code, protecting certain queries. that's the only way.
Remember - escaping is not a synonym for the protection. It is only part of the whole set of rules