i wanted to protect my website from sql injections and other possible risks, so i changed all my sql queries by adding for each variable something like this :
$getLid = htmlspecialchars($_GET[lid], ENT_QUOTES);
For my 50 files... But i have just seen that it might be my mistake : i should have added mysql_real_escape_string for any "input"...
Is it still better to use mysql_real_escape_string in this case, or the ENT_QUOTES works also? Do i have to restart again and add mysql_real_escape_string instead of my htmlspecialchars(..., ENT_QUOTES); ?
Edit :
Do you mean something like that?
$getLid = escape_string($str);
function escape_string($str){
return mysql_real_escape_string($str);
}
Edit n°2 : the return statement does not work properly, would you know why?
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in … www/escape_file.php
Access denied for user in … www/escape_file.php
Thanks
There are a lots of references to secure user inputs. You can Google it, but I think you should write a class or a function in another php file like "escape.php" and then include that file to all of your 50 files. then use that for escaping. exmple:
include 'escape.php';
$str = escape_string($str);
So you can change your escaping function so easy just with changing a single file. I hope it will help you.