Considering that everyone is always worried about User Data (And Rightly So), would it be sufficient to simply loop through each external array when you get it, and apply a mysql_real_escape_string().
I’m curious to if this is a bad idea.
Something like:
function getExternalData($type='GET')
{
$type = strtoupper($type);
$data = $_$type;
foreach($data as $key => $value)
{
$clean[$key] = mysql_real_escape_string($value);
}
return $clean;
}
That would make all that data safe to use in databases. But, what are the cons of doing it this way?
The main con is if you have to process the input, for example in order to parse markup, you’ll have to unescape the input then not forget to re-escape it. Also, it’s quite inefficient. Query placeholders are a very good way to prevent SQL injection.
As for sanitization itself (not only for SQL) you should take a look at the Filter extension, available by default in PHP 5.2 and in PECL for 5.1.