I have written this short function to protect against my_sql injection, because of its importance I just want to double check with other's that this will function as I intend.
foreach($_REQUEST as $key => $value) {
$_REQUEST[$key] = stripslashes($value);
$_REQUEST[$key] = mysql_real_escape_string($_REQUEST[$key]);
}
Well, you use stripslashes() because the magic_quotes_gpc is set? So this code will only work when magic_quotes_gpc is set! I'd recommend you switch it off and dont use the strislashes() call.
But note there is nothing like "universal sanitization". Let's call it just quoting, because that's what its all about.
When quoting, you always quote text for some particular output, like:
like expression for mysql queryFor each case, you need different quoting, because each usage is present within different syntax context. This also implies that the quoting shouldn't be made at the input into PHP, but at the particular output! Which is the reason why features like magic_quotes_gpc are broken (always assure it is switched off!!!).
So, what methods would one use for quoting in these particular cases? (Feel free to correct me, there might be more modern methods, but these are working for me)
mysql_real_escape_string($str)mysql_real_escape_string(addcslashes($str, "%_"))htmlspecialchars($str)json_encode() - only for utf8! I use my function for iso-8859-2mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}')) - you cannot use preg_quote in this case because backslash would be escaped two times!preg_quote()