I run all my integers through a (int)Integer to make them safe to use in my query strings.
I also run my strings through this function code:-
if(!get_magic_quotes_gpc()) { $string = mysql_real_escape_string($string); } $pattern = array('\\'', '\\\'', '\\\\', '\\0'); $replace = array('', '', '', ''); if(preg_match('/[\\\\'\'\\0]/', str_replace($pattern, $replace, $string))) $string = addslashes($string); $cleanedString = str_replace('%','',$string); I obviously return the $cleanedString variable. Now I replace the % character because it is a wildcard to mySQL and it could potentially slow down my queries (or make them return incorrect data) if the user inserted them. Are there any other special characters for mySQL I should be concerned about?
On a second note, is there anything wrong or redundant about my search and replace after the mysql_real_escape_string? I got it from a website when I was first starting out and (if I remember correctly) it said you had to use this search/replace in addition to the escape string. It looks like it’s trying to remove any previously escaped injection characters?
yeah I think you’ve got things going a bit strangely there.
First of all, I’d check for magic quotes and remove the slashes if it’s turned on. That way you’ve got a string which actually represents the information you want (and not one that has been treated with slashes).
If you particularly want to remove the % wildcard then you could just escape that or remove it altogether. Before you insert the string into an SQL query, finally run it through mysql_real_escape_string, and everything will be fine.