Prevent SQL-injections within PHP
January 5th, 2009
I wrote a little PHP function against sql-injections which disables experienced attackers to get your sensitive data or even worse, executing commands through your SQL server.
//Use it like this:
//$inputId = cleanSQL($_GET['id']);
//$SQLStatement = "SELECT Text,Title FROM News WHERE Id = " . $inputId;
function cleanSQL($inputString){
if (get_magic_quotes_gpc()) {
$clean = mysql_real_escape_string(stripslashes($inputString));
}else{
$clean = mysql_real_escape_string($inputString);
}
return $clean;
}
